Looking at Tokens in payment processing online Geoffrey
- Slides: 19
Looking at Tokens in payment processing online Geoffrey Simpson
Tokenization: New Customer {PAN}Kissue Issuer t TPAN 4. T N PA , un o am 7. Au o th riz on i t a r 5. 6. Se nd Re qu es t PA N 2. Request Token TPAN , PAN, CVV, exp Merchant 3. Send Token TPAN To ke n. T PA N Token Vault {PAN}Kvault TPAN 1. PAN, CVV, exp, amt Browser PAN sent PAN not sent 2 From Dr. Moore’s slides
Tokenization: New Customer This puts the Merchant IN SCOPE for PCI-DSS T Compliance! {PAN}Kissue Issuer t 4. T N PA , PAN Merchant un o am 7. Au o th riz on i t a r 5. 6. Se nd Re qu es t PA N 2. Request Token TPAN , PAN, CVV, exp 3. Send Token TPAN To ke n. T PA N Token Vault {PAN}Kvault TPAN 1. PAN, CVV, exp, amt Browser PAN sent PAN not sent 3 From Dr. Moore’s slides
What do you need to do for PCI-DSS Compliance? Build and Maintain a Secure Network 1. Install and maintain a Firewall configuration to protect cardholder data 2. Do not use vendor supplied defaults for system passwords and other security parameters 3. All systems that transmit cardholder information is in scope for PCI-DSS Protect Cardholder Data 1. Protect stored cardholder data 2. Encrypt transmission of cardholder data across open, public networks Maintain a vulnerability management program 1. Use and regularly deploy anti-virus software or programs 2. Develop and maintain secure systems and applications
What do you need to do for PCI-DSS Compliance? (continued) Implement Strong Access Control Measures 1. Restrict access to cardholder data by business need-to-know 2. Assign a unique ID to each person with computer access 3. Restrict physical access to cardholder data Regularly Monitor and Test Networks 1. Track and monitor all access to network resources and cardholder data 2. Regularly test security systems and processes Maintain an Information Security Policy 1. Maintain a policy that addresses information security for employees and contractors
Does this sound easy? How much does it cost to be PCI-DSS compliant? For the smallest implementation, estimates start at $10, 000 per year Fines are per month, so non-compliance can be costly Cost of being PCI-DSS Compliant can be restrictive on smaller companies. Someone has to be PCI-DSS Compliant, which is good. If you have a web, mobile, or desktop application that accepts payments, is it possible to stay out of scope for PCI-Compliance?
Tokenization to the rescue! Payment processors have created APIs that allow credit card information to be posted directly to their PCI-DSS Compliant servers. All data is encrypted, and payment data only goes between the user (Browser) and the PCI-DSS Compliant payment processor. Once the data is posted to their servers and validated, they generate a token and send it back to the form.
Merchant is NOT in scope for PCI -DSS Compliance!
What does this look like in code? (HTML)
Server Side, using the token
Now you can get paid (Without having to be PCI-DSS Compliant)! Dollar dollar bills y’all.
Stripe started this, but they aren’t the only game in town. Pay. Pal Payments Advanced Token based API instead of having to go to Pay. Pal website Authorize. net Square And many more…. . https: //www. pcisecuritystandards. org/assessors_and_ solutions/vpa_agreement
Commercial Token providers
Token. X. com
done
Looking out, looking in summary
Looking out looking in chapter 9
Tokens of trust
Scanner tokens
Marketo program types
Flex compiler tutorial
Attributes of tokens in compiler design
Figures of speech in the poem animals by walt whitman
C++ tokens
Number of tokens
Longest match rule in lexical analysis
What do tokens do in usatestprep
Orbital virtual terminal
Payment methods objective
Electronic payment system definition
Dell financial services payment center
Priasoft-pfms
Electronic examples
Mtnl online payment
Dfs dell online payment
