For most merchants, PCI compliance is a considerable burden. Any place they store, process, or transmit their customers’ credit card data is considered “in scope” for an annual audit. Each in-scope component increases the number of controls they’re responsible for validating – in some cases, leading to a 300+ question self-assessment questionnaire every single year.
The right tokenization service provider, however, can reduce the number of places sensitive data touches a merchant’s environment. This reduces both risk and compliance effort without sacrificing security.
Tokenization replaces a card number with a non-sensitive stand-in value that has no usable meaning if it were to fall into the wrong hands. The actual card data is securely stored in a PCI-compliant environment, while the merchant’s systems only interact with the token. Because tokens are not cardholder data, the systems that store or process them typically fall out of PCI scope. This can significantly reduce the number of controls they need to maintain and validate.
That said, choosing the right payment token service vendor matters. Not all tokenization solutions are created equal; the wrong choice can counterproductively limit the scope reduction benefits.
Your First Non-Negotiable: Active PCI Certification
When evaluating a payment token service provider, start with active PCI certification. This demonstrates that the provider meets the full set of requirements for operating a compliant tokenization data environment. This includes:
- Maintaining appropriate firewall configurations
- Enforcing data retention and disposal policies
- Internally masking sensitive values so staff can’t accidentally access them
- Maintaining detailed audit logs for all access and activity
When a tokenization provider has gone through the process of having their PCI controls validated by a third-party auditor, customers can rely on those efforts to reduce their own.
Equally Important: Hands-On Implementation Support
Hands-on implementation support is just as critical. Tokenization alone doesn’t automatically reduce PCI scope; it’s how the tokenization solution is implemented that makes the difference.
Ideally, the vendor will work closely with the merchant’s own in-house security team to design an architecture that aligns with PCI requirements and operational realities. While a Qualified Security Assessor (QSA) is the only authority that can ultimately deem an implementation compliant or non-compliant, the token service provider should help ensure there are no surprises when assessment time comes.
Token Flexibility
As with any vendor selection process, future flexibility is another important consideration. Merchants should be able to take their tokens with them if processes or vendors change – otherwise, they risk losing years of transaction history and being forced to start from scratch.
Deep Understanding of Your Technical Environment
Payment processing doesn’t exist in a bubble; successfully implementing a tokenization solution involves seamless integration with the rest of a merchant’s infrastructure. For example, if they store tokens directly on an IBM i or call them from programs running natively on it, a vendor who can walk them through the corresponding data flows platform helps ensure a clean, low-friction implementation.
Reducing Your PCI Scope with Curbstone as Your Tokenization Service Provider
As a leading tokenization service provider for merchants on the IBM i, Curbstone has helped hundreds of companies implement payment tokens in a way that meaningfully reduces their PCI scope. To start exploring secure, PCI-compliant payment processing options for your business, contact us today.
