Skip to main content

Tokenized Encryption Helps Merchants Tackle Security Challenges

As threats to data security proliferate, the actions taken by the governing bodies are evolving. The governing authority for credit card data is the Payment Card Industry (PCI) Security Standards Council (SSC), which was built by the card brands: Visa, MC, Discover, American Express and JCB. The PCI provides the best practices security standards for all businesses touching credit card data.

If your business accept cards, you signed a merchant agreement to create an account with a bank or acquirer who works with you to get you paid. Your acquirer is exclusively responsible for your compliance with the PCI security mandates (—a responsibility bestowed upon them by the credit card brands.

New Standards Improve Security

As of Jan. 31, 2017, all merchants that accept credit cards, regardless of size, are now required to submit the appropriate PCI Self-Assessment Questionnaire (SAQ) to their bank or acquirer (

Big merchants have always been required to submit an SAQ to prove their compliance with the 12 tenets of PCI DSS—now everyone must do so. That said, I’m willing to bet a plug nickel that your acquirer has yet to demand that you submit a formal SAQ.

Most of the merchants I work with report that they haven’t been requested to comply. How can that be? Your bank or acquirer was charged by the card brands with ensuring that your business is PCI compliant. But these entities aren’t security auditors; they’re bankers who handle money in motion. (There are exceptions such as TSYS, Solupay and Chase Merchant Services.)

When this lapse catches up to you—which you can bet your Visa card that it will happen—will you be prepared?

The first step is to review the seven different SAQs and determine which one applies to your organization: Don’t confuse these official audits with the incidental, summary forms most banks require. Also, just engaging an Authorized Scanning Vendor to perform a vulnerability and penetration scan of your internet connections is only one action required of all merchants. Getting a clean vulnerability scan doesn’t replace the new requirement for submitting an SAQ.

Remote Tokenization

With remote tokenization, an external entity handles and stores credit card data for you, and you use a token in its place. This allows you to flag a preauthorization for settlement when the goods or services are delivered, issue a credit to a card on file, charge a new sale to a previously used card, perform recurring billing and more—all without touching sensitive card data.

The challenge with some of these solutions is that you sacrifice integration to isolate card data. An ideal remote tokenization solution will incorporate seamless integration to your existing IBM i-based order entry for retail transactions, phone orders and e-commerce.

Retail transactions where the card is physically accepted must use the new Europay, Mastercard and Visa (EMV) chip and signature terminals, which are intrinsically isolated and employ P2PE-HW encryption. If your company uses IBM i-based software to drive terminals that are used for retail sales, you know that the sale data, amount, invoice number and merchant info is all on the IBM i app; ideally this data would be sent directly to the EMV card reader so it doesn’t have to be re-keyed. The challenge with using EMV terminals is integrating them with the IBM i application that’s driving the point of sale terminal.

Phone orders require that the data be keyed into something, which opens it up to being intercepted. Worse yet, any device, workstation, server, switch, router, IBM i, etc. that’s connected to the network is considered to be inside the Cardholder Data Environment and must be reported upon when completing your SAQ. This requires the SAQ D form—the longest and hardest of them all. If you can find a way to isolate the credit card data so that it’s not keyed into systems in your existing network, you can qualify for the SAQ C-VT. This SAQ comprises 45 relevant questions and it’s easy to complete.

Virtual Terminals

The challenge with the aforementioned solution is integrating this isolated system where the card data is keyed with the critical order and buyer data that’s on the IBM i. One remedy includes using inexpensive Android tablets and a dedicated, hardened Wi-Fi router. This provides for the entry of the card number, expiration date and security code. The key is to have the order info from the IBM i-based Order Entry mated to it for the actual authorization in real time.

Employing this isolated “virtual terminal” approach removes the rest of the computing infrastructure from the scope and jurisdiction of the PCI security mandates. The upshot to taking so much computing infrastructure out of the scope of PCI DSS is that it eliminates many penetration and interception points, and your business winds up much more secure.