Transcription
Reducing PCIScope WithOmnichannel Tokens
IntroductionTwenty years ago, the idea of buying something onlinewas almost inconceivable; today it’s not just ubiquitous, it’squickly taking its place as the major competitor to the waywe’ve shopped for generations: by physically visiting a store.As their customers grow and repeat sales soar, manyeCommerce merchants are finding that managing datasecurity and meeting PCI compliance requirements aresignificant and growing burdens.As one study notes, “COVID-19 has caused us to vaultfive years forward in consumer and business digital adoptionin a matter of around eight weeks. Consumer behaviorsand preferred interactions have changed significantly andthe uptick in the use of digital services is here to stay.Seventy-five percent of people using digital channels for thefirst time indicate that they will continue to use them whenthings return to “normal.”Every merchant who accepts credit and debit cards isrequired to be compliant with the Payment Card Industry(PCI) Data Security Standards (DSS), which aim toreduce payment card fraud by improving the security ofcardholder data.Of course, stay-at-home orders due to the COVID-19 outbreakhave only increased the number of customers opting to shoponline in card-not-present (CNP) situations. “Third quarter2020, eCommerce sales increased 37 percent from the thirdquarter of 2019 while total retail sales increased 6.9 percentin the same period. eCommerce sales in the third quarterof 2020 accounted for 13 percent of total sales” per the U.S.Census Bureau of the Department of Commerce (DOC)”.As online shopping has grown in popularity, so too hasthe ease of paying for goods and services electronically.Growing in popularity are voice-activated devices such asAmazon’s Alexa and Google Home, which allow consumersto order and pay for goods simply by verbally requestingthem. Products can also be ordered using smart watches;and consumers are able to purchase goods directly from thescreens of their connected vehicles.Fiserv FactManaging data security and meetingPCI compliance requirements aresignificant and growing burdens.The best way to protect payment data at rest is through theuse of tokenization. This technology replaces sensitive data,such as a cardholder’s primary account number (PAN) with atoken, an unrelated number that nevertheless retains manyof the required properties of the original data. Tokens enablesafer long-term storage of card data.To more easily protect that data, “multi-pay” tokens givemerchants the ability to utilize the token for subsequentcard‑on-file transactions. This makes multi-pay tokensan ideal solution for eCommerce merchants and serviceproviders submitting recurring invoices.Consumers are not just paying online; they’re registeringwith their favorite stores, providing online retailers withpersonal information in addition to their preferred waysto pay.Reducing PCI Scope With Omnichannel Tokens2
In this White Paper, we’ll explore the concept of multi-paytokenization, its varied use cases in CNP and card-present(CP) situations and the multiple ways in which multi-paytokens benefit merchants in terms of security, compliance,liability, reduced costs, customer satisfaction and theultimate ability to increase sales.Reducing PCI Scope With Omnichannel TokensYou may already be working with Fiserv, a leading providerof data protection technologies or you may be simplywishing to learn more. In either case, in the following pagesyou’ll learn how you can maximize your protection and growyour business, by allowing Fiserv to do what we do best:serving your interests and needs.3
Reducing PCI Scope WithMulti-Pay TokensTokenization is the process of replacing sensitive data withunrelated surrogate numbers; tokens are randomly generatedand a PAN cannot be derived from the associated token.Multi-pay tokenization provides the ability to initiatefinancial transactions using the token in place of the PAN.The merchant submits a token that it has on file for aspecific consumer’s credit card, to a processor that hasvault access; the PAN is retrieved by the processor and thetransaction completed.Multi-pay tokens have increased in importance due to therapid growth of eCommerce transactions. Today, it’s thenorm rather than the exception for consumers to return totheir favorite websites, mobile apps or IoT devices againand again to make purchases. Having established an onlineaccount, consumers do not want to have to reenter paymentinformation each time a transaction is made. At the sametime, consumers expect that their data will be protected oncestored on a business’ eCommerce site.Reducing PCI Scope With Omnichannel TokensFiserv FactDue to the shift to digital paymentsmulti-pay tokens are growingin importanceAn important feature of multi-pay tokens is that they areunique not only to the particular PAN but also to thatmerchant; only the merchant can use the token to processsubsequent transactions, making it highly resistant to theft.While the merchant’s initial transaction with the consumer’spayment card uses the real account data, all subsequenttransactions (for example: to process refunds, credits andfuture purchases) with the same payment card use thetoken instead.Multi-pay tokens are not limited to eCommerce or evenCNP situations. As we’ll explain later, they can be used bymerchants that have a physical location and online presence,a so-called “brick and click” model.4
How a Multi-pay Token Is Used InOmnichannel EnvironmentsMerchants seeking to grow repeat business encouragecustomers to store their payment card and profile informationas a matter of convenience, in order to reduce checkout timeMerchants who employ multi-pay tokens reduce thosesecurity risks and obligations. Under an eCommerce scenario,the first time a consumer makes a purchase on the merchant’son subsequent visits.website, the checkout process prompts the customer toprovide his or her payment information, including the creditcard account number. The merchant submits this and theother required transaction information, through a secureconnection, to the processor for authorization. The processorreturns a multi-pay token to the merchant, who stores it alongwith the customer’s other profile information.When multi-pay tokens are not used, the merchant assumesthe responsibility for securely storing each customer’spayment information for use in subsequent transactions.If the data is stolen or otherwise compromised, the merchantmay be subject to expensive fines and other penalties.Tokenization and CNPConsumer EnvironmentMerchant EnvironmentFiserv DatacenterBankSecure Connection1Consumer2 Merchant Data Center 2 PAN/TransArmorToken3FiservSwitch4 Issuer1. Customer enters PAN and CVV2. P AN is received by merchantand sent to processor6Merchant5 TransArmor TokenToken NumberAssigned3. PAN is received by processor4. P AN is passed to bank forauthorization and thenreplaced with tokenTransaction LogSettlementData Warehouse6 Anti-FraudTransArmor4 Token Vault5. A uthorization and token arereturned to the merchant6. T oken is stored and used inplace of the card numberReducing PCI Scope With Omnichannel Tokens6 AnalyticsTransArmor 5
Fiserv FactUsing a token instead of PAN data in back-end business applications shrinks themerchant’s cardholder data environment that is subject to PCI compliance.Omnichannel merchants utilize a similar transaction flow for Card Present payments initiated across devices. As before, thepayment information is gathered during checkout and sent to the processor. The Processor returns a consistent multi-pay tokenwhich works across the merchant’s environment.Tokenization and CPMerchant EnvironmentFiserv DatacenterBank1. Consumer presents card to merchant2 Card DataEncrypted1 Merchant6Merchant5 TransArmor Token3FiservSwitch2. Card Data is encrypted andtransmitted to Fiserv front-end4 Issuer3. Fiserv front-end decrypts thedata payload4. Card data is sent to issuingbank for authorization and inparallel, tokenizedToken NumberAssignedTransaction LogSettlementData Warehouse6 Anti-Fraud5. T oken is paired with authorizationresponse and sent back tothe merchantTransArmor4 Token Vault6 AnalyticsTransArmor Reducing PCI Scope With Omnichannel Tokens6. Merchant stores token instead ofcard data in their environmentand uses token for all subsequentbusiness processes6
Merchant Advantages ofMulti-pay TokensThere are several potential advantages to using multi-paytokens; they include improved merchant security, reducedPCI scope, enhanced analytic capabilities and a simplifiedcustomer profile management process. In addition to theiruse in digital transactions, multi-pay tokens can also be usedin omnichannel, “brick-and-click” situations.Improved Security of Online DataWhen non-sensitive tokens are used for paymenttransactions, there is less risk of criminals stealing data theycould otherwise monetize.For the merchant, a breach can incur a hefty fine, as well aslegal and remediation costs. Breaches of up to 10 millionrecords cost an average of 50 million, taking into accountfines, detection costs, notification costs, reputation loss andlitigation. (Source: Ponemon Cost of a Breach 2020 report)Costs can substantially exceed that average amount. Forexample, in August 2020, the Office of the Comptroller of theCurrency fined a major provider of credit cards an 80 millioncivil penalty for failing to adequately protect its consumerdatabase from a successful hack of 100 million files by adisgruntled former employee of Amazon Cloud Services.Fiserv FactIn 2020, a major credit card providerwas fined 80 million for exposingthe data of 100 million files.Reducing PCI Scope With Omnichannel TokensOther companies that have been fined include a major foreignair carrier, which had to pay 230 million to its governmentand a large hotel chain, at a cost of 124 million.Consumers who abandon the merchant due to a breach cancause long-term damage to sales; those customers could alsotake legal action against the merchant due to identity loss andthe costs of repairing their credit history.Multi-pay tokens eliminate the worry of data theft. If they areever intercepted, hacked or exposed, the tokens cannot beused outside of the merchant’s environment.Reduced PCI Scope/Liability ProtectionMaintaining and validating PCI compliance is an expensiveand time-consuming effort for most merchants. Furthermore,being “in compliance” is a dynamic state that may onlybe true at a particular point in time; and one may be PCIcompliant without being completely secure. Multi-pay tokensaddress risks of security and non-compliance.Omnichannel tokenization allows merchant to replacesensitive card data with Tokens. Multi-pay tokens are returnedin place of the PAN for CP and CNP transactions. Merchantscan store the multi-pay token and vastly reduce or eveneliminate the required cardholder data environment (CDE)that is subject to PCI audits, while also avoiding the cost ofprotecting that data.7
Omnichannel CapabilitiesMulti-pay tokenization provides omnichannel capability,allowing one token to be used throughout a merchant’sdiverse retail channels. Given the wide variety of usecases, multi-pay tokenization becomes an excellent toolto help drive sales, as it maximizes customer convenienceand choice.Customer profile data can also be linked to a merchant’sloyalty program. Each time a multi-pay token is used for apurchase, the token can trigger the loyalty program, enablingthe customer to accumulate or redeem rewards at the timeof purchase.Recurring or Subscription PaymentsFiserv factData AnalyticsMany merchants find it beneficial to use customer-specifictransaction data in their business intelligence applications.By using non-sensitive tokenized data, the merchant cansafely use the transaction information for data analysis andcustomized marketing programs. This can help increasebusiness efficiencies and aid in the creation of strategiesdesigned to increase customer visits and sales.Customer Profile ManagementBy storing multi-pay tokens instead of cardholder data,merchants vastly simplify their customer profile managementprocesses in a way that is seamless and imperceptible tocustomers. Customers’ preferred payment information canbe stored and used repeatedly without jeopardizing sensitivedata. The multi-pay token helps provide an accurate view ofthe merchant-consumer interaction.Reducing PCI Scope With Omnichannel TokensMulti-pay tokens can be used tosecurely ID your consumer across yourentire payment footprint (CP and CNP)Not every CNP transaction is an eCommerce purchase. Thereare many types of service providers that need to collect aregular payment from a consumer over a sustained period,by processing a credit or debit payment. Examples includestreaming services, subscription services and utility companypayments. Multi-pay tokens allow merchants to store a tokenin place of the PAN and use for future transactions, as long asthat PAN is current.8
ConclusionAs has been shown, multi-pay tokens are the ideal wayto simplify the payment process in an environment inwhich eCommerce is taking an increasingly dominant role.TransArmor multi-pay tokens are available either directlythrough Fiserv or from one of our over 75 certified gatewaysand software vendors. Using a direct connection or amulti-pay Tokens protect PCI data allowing a merchant tosafety store payment data for future transactions.certified vendor guarantees that data is tokenized during thetransaction flow from the merchant to Fiserv, ensuring thatcard data is never sent in the clear.Merchants can use multi-pay tokens across theirenvironment offering enhanced convenience to customers.This helps deepen the customer relationship and the abilityto capture a larger share of the established and growingeCommerce market.Multi-pay tokens represent a significant advance inconducting secure transactions for Card Present, eCommerce,digital, recurring or subscription payments. Because thisunique type of token can be used to complete a financialtransaction, the merchant enjoys all the functionality ofa PAN, plus a high level of protection against the theft orexposure of sensitive payment card data, all without investingheavily in layered data security solutions.And when it comes to choosing a multi-pay token provider,note that TransArmor Data Protection from Fiserv appliesbest-in-practice tokenization security to protect customer carddata. TransArmor tokens are not reversible, do not expire andfollow the customer’s card through its life cycle.Reducing PCI Scope With Omnichannel TokensUnlike TransArmor Data Protection, standard gatewaytokenization solutions only tokenize data between themselvesand the merchants. Gateways must detokenize their tokenand send it to processors in the clear, thereby exposingcard data at the last mile between the gateway and theprocessor. In this less-desirable scenario, the merchant wouldbe responsible for the entire transaction flow from a PCIperspective: from their site to the processor’s.TransArmor tokens provide a consistent security solutionacross the entire payment environment, obviatingthe need to use multiple, complex security solutionsfrom various payment applications for customer andpayment management.In summary, TransArmor Data Protection enables a businessto focus on growth and customer service, utilizing Fiservtokenization technologies to easily and cost-effectivelyimplement data security best practices.9
TransArmor Multi-pay Token Features and BenefitsFeatures: Unlike encryption, a token has no direct relationship with the data that it replaces The token is card-based, meaning there is a 1:1 relationship between the PAN and the token Multi-pay tokens do not expire – The same token follows the card through the entire card lifecycle The token matches the length of the initiating PAN and maintains the last 4-digits The token does not overlap BIN ranges from major card brands, including those of Amex, Discover, Mastercardand Visa Tokens do not pass the Luhn or MOD-10, algorithmCarat is the Fiserv omnichannel commerce ecosystem that delivers unlimited global paymentopportunities across any channel anywhere, executing transactions on any device with any paymentmethod, securely and at global scale.Omnichannel tokenization offers improved security of online data and can help reduce PCI scope,which offers liability protection to merchants. This value is currently offered by Fiserv and can evenbe accessed through the Carat Gateway.Through simple API access, Carat enables merchants, experience providers and financial institutionsto imagine and realize new customer experiences.Carat drives more commerce.For more information about multi-pay tokens, contact your account representative or visit sus.gov/retail/mrts/www/data/pdf/ec current.pdf3Ponemon Cost of a Breach 2020 80-million-fine-2019-data-breach12 2021 Fiserv, Inc. or its affiliates. All rights reserved. Fiserv is a registered trademark of Fiserv, Inc. Other products referenced in this material may betrademarks or registered trademarks of their respective companies. Terms and Conditions apply.
TransArmor 1. Consumer presents card to merchant . Maintaining and validating PCI compliance is an expensive and time-consuming effort for most merchants. Furthermore, being “in compliance” is a dynamic state that may only be true at a particular point in time; and one may be PCI co
