Looking at Tokens in payment processing online

1. Looking at Tokens in payment processing online Geoffrey Simpson

2. Tokenization: New Customer {PAN}Kissuer Issuer 4. TPAN , amount 7. Authorization 5. Request Token TPAN TPAN 6. Send PAN 2. Request Token TPAN , PAN, CVV, exp {PAN}Kvault TPAN Merchant Token Vault 3. Send Token TPAN 1. PAN,CVV, exp, amt PAN sent Browser PAN not sent 23 From Dr. Moore’s slides

3. Tokenization: New Customer This puts the Merchant IN SCOPE for PCI-DSS Compliance! {PAN}Kissuer Issuer 4. TPAN , amount 7. Authorization 5. Request Token TPAN TPAN 6. Send PAN 2. Request Token TPAN , PAN, CVV, exp {PAN}Kvault TPAN Merchant Token Vault 3. Send Token TPAN 1. PAN,CVV, exp, amt PAN sent Browser PAN not sent 3 From Dr. Moore’s slides

4. What do you need to do for PCI-DSS Compliance? • Build and Maintain a Secure Network • Install and maintain a Firewall configuration to protect cardholder data • Do not use vendor supplied defaults for system passwords and other security parameters • All systems that transmit cardholder information is in scope for PCI-DSS • Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Maintain a vulnerability management program • Use and regularly deploy anti-virus software or programs • Develop and maintain secure systems and applications

5. What do you need to do for PCI-DSS Compliance? (continued) • Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain an Information Security Policy •  Maintain a policy that addresses information security for employees and contractors

6. Does this sound easy? • How much does it cost to be PCI-DSS compliant? • For the smallest implementation, estimates start at $10,000 per year • Fines are per month, so non-compliance can be costly • Cost of being PCI-DSS Compliant can be restrictive on smaller companies. • Someone has to be PCI-DSS Compliant, which is good. • If you have a web, mobile, or desktop application that accepts payments, is it possible to stay out of scope for PCI-Compliance?

7. Tokenization to the rescue! • Payment processors have created APIs that allow credit card information to be posted directly to their PCI-DSS Compliant servers. • All data is encrypted, and payment data only goes between the user (Browser) and the PCI-DSS Compliant payment processor. • Once the data is posted to their servers and validated, they generate a token and send it back to the form.

9. Merchant is NOT in scope for PCI-DSS Compliance!

10. What does this look like in code? (HTML)

14. Server Side, using the token

15. Now you can get paid (Without having to be PCI-DSS Compliant)! • Dollar dollar bills y’all.

16. Stripe started this, but they aren’t the only game in town. • PayPal Payments Advanced • Token based API instead of having to go to PayPal website • Authorize.net • Square • And many more….. • https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement

17. Commercial Token providers

18. TokenX.com

19. done