Being able to store cardholder data off-site is a real differentiator for us as a software provider. This lets our merchants meet critical PCI DSS requirements with no additional spending or effort on their part."

John Harms,
President and CEO,
Harms Software Inc.

The number one reason behind cardholder data security compromises is the inability of merchants to protect their customer's stored credit and debit card data. In 2008, 89% of companies that experienced a data breach failed to effectively protect sensitive information, according to the 2009 Data Breach Investigation Report conducted by the Verizon Business RISK Team.

The industry standards of PCI DSS (for merchants) and PA-DSS (for software providers) have strict requirements concerning the storage of sensitive credit and debit cardholder information. Software providers can protect customers by implementing a secure offsite data storage solution that utilizes tokenization technology.

Payment Account Secure Storage (PASS), based on what is more commonly known as tokenization in the industry, works by moving the actual cardholder data offsite to Element's PCI DSS compliant storage facility. Element's servers create and then return a unique reference pointer (or token) to the software application. Encryption is used to protect cardholder data while in transit. Using the token (which contains no actual cardholder data itself), merchants can bill a card on file and schedule automatic payments. Tokenization thus protects cardholder data at rest. Element's credit card tokenization solution is different from some other implementations in that a token is produced per account, vs. per transaction. This helps to make token management easier.

When the responsibility to protect stored data, along with the risks of a security breach and resulting loss is transferred to a trusted partner, business liability is dramatically reduced for merchants and software providers alike. Since data thieves can't steal what a merchant does not possess, the opportunity for a security breach is greatly reduced.

How Does Credit Card Tokenization Work?

• Business accepts credit and debit cards in the usual manner.
• Business securely transmits cardholder data to Element's PCI DSS compliant storage facility.
• A unique reference pointer (token) is supplied by the storage facility for each record transmitted by the business.
• The token is now stored at the business in place of cardholder data.
• Future payment transactions are transmitted by the business using the token in place of cardholder data.

Eliminating on-site credit card storage has another benefit as well: simplified PCI DSS compliance for your customers. In a recent report by PricewaterhouseCoopers presented at a PCI Security Standards' Council Community Meeting, tokenization was highlighted as a "robust technology" that can help shift some of the risk and burden of PCI compliance from the merchant to the credit card processor.

A business that outsources their debit and credit card data storage is also able to complete a shortened version of the annual PCI DSS assessment, the PCI SAQ. The length of the self-assessment questionnaire can be cut in half, from 31 to 16 pages. Read about how to do this in our blog post, PCI SAQ Made Easy.

Element Payment Services also incorporates end-to-end encryption into their payment processing system, which protects cardholder data in transit from being tampered with, copied, or deleted. Authentication is used to guarantee the sender and receiver of the information. All of this makes Element's processing system one of the most secure products on the market. This, in turn, allows merchants to reduce their PCI DSS scope and transfer the risk of cardholder data storage to the industry leader.

Ready to learn more? Open a free test account or view the specifications of the Element Express Processing Platform, read one of our white papers on PCI DSS and PA-DSS compliance, or contact us.

Are you a merchant wanting to learn more about tokenization? Visit our merchant section of the site.