Minimizing PCI Scope with Tokenization

Heartland Secure infographic

By Michael English
Late last year, Apple launched its Apple Pay service to further bolster user loyalty to their brand and proprietary devices.  

The move raises the stakes for near-field communication (NFC) mobile payment, pitting Apple Pay against Softcard and Google Wallet, which has been available for Android for some time. While there’s an undeniable “cool factor” in paying by phone, the overriding consumer appeal is that it’s quick, less bulky and nobody has to physically handle your credit card.

For merchants, card-less payment solutions like Apple Pay should be attractive for other reasons.

Apple Pay, unlike Google Wallet and Softcard, employ tokenization to protect card data when a transaction is authorized.  “Tokenization” is the transactional data practice of substituting a unique code for the payment card’s actual number.  This method keeps the card data out of retailer’s systems and is similar to a security concept Heartland Payment Systems has offered point-of-sale customers for several years.

The benefit of tokens is that should a merchant’s system be breached by cybercriminals, tokens have no real value to potential hackers because they no longer contain card information that can be used for fraudulent transactions. In fact, according to the Payment Card Industry Data Security Standard (PCI DSS), tokenization is one of the most effective ways of minimizing the PCI compliance scope. heartland traditional

PCI is a mandated security standard that applies to all businesses that handle, process or store credit cards.  Whether payment is done via inserting an EMV card, tapping a mobile phone or by magnetic swipe, any merchant who accepts payment cards is required to be PCI compliant.  Being PCI compliant can be costly, but managing to scope is simple.  Removing cardholder data—using a tokenization-enabled solution, in other words—removes much of the financial burden and complexity of maintaining annual PCI compliance.

With all of the buzz over NFC payment in the media, it’s clear that restaurant operators will want to explore making card-less mobile payment options like Apple Pay, Softcard and Google Wallet a standard means of payment.  And, as they evaluate this new technology, they need to use this as an opportunity to evaluate their overall network security and reduce PCI scope.

Why?  Because smaller business and restaurants are being actively targeted by criminals, especially those with e-payments.    

While Apple Pay uses a token for transaction security, restaurants that accept credit and debit cards at the counter or table side do not leverage tokenization.  Restaurant and small business operators, who think they can fly under the radar, or are too small to be targeted, should consider recent news headlines indicating that this is no longer true.  Hackers don’t discriminate when it comes to consumer credit data.

Consider recent attacks on franchise locations like Jimmy John’s and Dairy Queen, in which relatively small attacks (in comparison to Home Depot and Target) were carried out on hundreds of local franchisees across the country.  About 75 percent of such attacks are opportunistic, with some hackers tapping into data streams from a parking lot or right down the block, or by inserting malicious software in the restaurants POS software to collect clear test card data.  Clearly merchants must make sure their systems are locked down.
heartland out of scope 

Many operators have a vulnerable network, even if they think they’re protected. Wi-Fi, broadband, video surveillance, point-of-sale systems, and digital menu boards are among the technologies that connect with restaurant networks through IP addresses.  Every IP address on a restaurant network is a potential entry point for unauthorized persons to plant malicious software.  Hackers don’t actually have to be in close proximity of their target—they can randomly place their sights on IP addresses from anywhere in the world.

Another false assumption that many business owners have is that they think they will immediately know if they’ve been breached. In reality many operators remain totally unaware that their business has been compromised for weeks, months, or even longer. It is estimated by security officials that somewhere between half to three-quarters of breaches take months to be discovered and, by then, immeasurable damage can be done.  For example, the P.F. Chang’s breach, which spanned 18 states, lasted for several months—from Oct. 19, 2013 to June 11, 2014.

Retailers who have the added layer of protection from data encryption, for which they maintain the keys, may also feel they have done enough to be compliant. However, that isn’t always true.  Encrypted card data can be grabbed midstream while it travels to the processor or is stored.  If data thieves can break these encryption codes, they are rendered useless.  And armed with this encryption key, criminals can decrypt the encrypted card data for monetization.

However, if the merchant or restaurant does not have the keys needed to decrypt that encrypted card data, then PCI considers that encrypted card data to be out of scope.  As tokenization, encryption is a vital part of a comprehensive plan to eliminate the risk of clear text card data being stolen and monetized.

While restaurant owners, retailers and small businesses entrepreneurs evaluate if and how they will take the leap to integrate Apple Pay and Google Wallet, they should use the process as an opportunity to evaluate the security of their entire payment system—making sure they are not unintentionally exposing their customers’ private financial data.

As for my company, it is our mission to ensure that every transaction is protected.  In fact, we believe so strongly in the security of our technology that we are the first payment processing company to offer a comprehensive warranty that protects businesses from payment card losses as the result of a breach.

Heartland is PCI compliant and a member of the PCI Security Standards Council.  We invest heavily in continuous R&D in this area and encourage all merchants to consider comprehensive solutions like Heartland Secure™, which combines EMV, tokenization and Heartland’s E3® (end-to-end encryption) to decrease the reputational and financial risks associated with just doing your business, one swipe, tap or e-signature at a time.  Heartland Secure is a direct means by which a restaurant or merchant can remove clear text card data from their business for EMV, magstripe and mobile transactions.  

Michael English is the executive director of product development for Heartland Payment Systems, the fifth largest payments processor in the United States. In this role since 2005, Michael is responsible for the strategic direction and development of merchant acceptance offerings including the evaluation, integration and use of emerging technologies.

As Heartland evolves from a payments processing to a full-service technology company, Michael is at the forefront of anticipating the needs of Heartland’s merchants in more than 300,000 business and education locations nationwide. Michael has over 25 years of experience in the payments industry.


More articles about payment technologies


All About High Risk Credit Card Processing
Datacap AutoLoad(tm) Technology Awarded Patent
Accept Cash With PreCash Bill Payment Solution
Mobile Wallet Not Going To Displace EMV
Adopting EMV: A Requirement, Not a Choice
Mobile Payments: Here to Stay, But Still Not Perfect