1 / 19

Looking at Tokens in payment processing online

Looking at Tokens in payment processing online. Geoffrey Simpson. Tokenization: New Customer. {PAN} K issuer. Issuer. 4. T PAN , amount. 7. Authorization. 5. Request Token T PAN. T PAN. 6. Send PAN. 2. Request Token T PAN , PAN, CVV, exp. {PAN} K vault T PAN. Merchant. Token Vault.

wrenj
Télécharger la présentation

Looking at Tokens in payment processing online

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Looking at Tokens in payment processing online Geoffrey Simpson

  2. Tokenization: New Customer {PAN}Kissuer Issuer 4. TPAN , amount 7. Authorization 5. Request Token TPAN TPAN 6. Send PAN 2. Request Token TPAN , PAN, CVV, exp {PAN}Kvault TPAN Merchant Token Vault 3. Send Token TPAN 1. PAN,CVV, exp, amt PAN sent Browser PAN not sent 23 From Dr. Moore’s slides

  3. Tokenization: New Customer This puts the Merchant IN SCOPE for PCI-DSS Compliance! {PAN}Kissuer Issuer 4. TPAN , amount 7. Authorization 5. Request Token TPAN TPAN 6. Send PAN 2. Request Token TPAN , PAN, CVV, exp {PAN}Kvault TPAN Merchant Token Vault 3. Send Token TPAN 1. PAN,CVV, exp, amt PAN sent Browser PAN not sent 3 From Dr. Moore’s slides

  4. What do you need to do for PCI-DSS Compliance? • Build and Maintain a Secure Network • Install and maintain a Firewall configuration to protect cardholder data • Do not use vendor supplied defaults for system passwords and other security parameters • All systems that transmit cardholder information is in scope for PCI-DSS • Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks • Maintain a vulnerability management program • Use and regularly deploy anti-virus software or programs • Develop and maintain secure systems and applications

  5. What do you need to do for PCI-DSS Compliance? (continued) • Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data • Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes • Maintain an Information Security Policy •  Maintain a policy that addresses information security for employees and contractors

  6. Does this sound easy? • How much does it cost to be PCI-DSS compliant? • For the smallest implementation, estimates start at $10,000 per year • Fines are per month, so non-compliance can be costly • Cost of being PCI-DSS Compliant can be restrictive on smaller companies. • Someone has to be PCI-DSS Compliant, which is good. • If you have a web, mobile, or desktop application that accepts payments, is it possible to stay out of scope for PCI-Compliance?

  7. Tokenization to the rescue! • Payment processors have created APIs that allow credit card information to be posted directly to their PCI-DSS Compliant servers. • All data is encrypted, and payment data only goes between the user (Browser) and the PCI-DSS Compliant payment processor. • Once the data is posted to their servers and validated, they generate a token and send it back to the form.

  8. Merchant is NOT in scope for PCI-DSS Compliance!

  9. What does this look like in code? (HTML)

  10. Server Side, using the token

  11. Now you can get paid (Without having to be PCI-DSS Compliant)! • Dollar dollar bills y’all.

  12. Stripe started this, but they aren’t the only game in town. • PayPal Payments Advanced • Token based API instead of having to go to PayPal website • Authorize.net • Square • And many more….. • https://www.pcisecuritystandards.org/assessors_and_solutions/vpa_agreement

  13. Commercial Token providers

  14. TokenX.com

  15. done

More Related