payments - Retail Systems
payments - Retail Systems
payments - Retail Systems
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
GT: So you’ve got the token, you can send the token into the<br />
cloud and have the cloud de-tokenise it and read the card data<br />
to the bank without the agent listening to that information.<br />
AH: But a chargeback when a customer says: ‘I didn’t make<br />
this purchase’ the acquirer themselves send you the full card<br />
number to query the transaction. That’s the example I was<br />
talking about, the only time I can think of that having card<br />
data is valid.<br />
GT: Again we’ve got to educate the acquirers on this. I know<br />
they email you with this information but some of the acquirers<br />
are the least PCI compliant organisations. They should be looking<br />
at their systems as well because there’s no reason why they<br />
can’t provide that information via your cloud tokenised provider<br />
– they give you the token and you then have to match to that.<br />
Your challenge is as soon as you bring the card data back into<br />
your environment that all the advantages of getting to an SAQ<br />
A, or an SAQ C, all go out the window because you’re now back<br />
into an SAQ D because you’ve now got a process that is managing<br />
card data.<br />
MG: What Alex was saying obviously has a lot of technical<br />
advantages in that it reduces the scope and allows you to do<br />
a simpler SAQ. But if you look at requirement 12.A, managing<br />
your third parties, and then you look at the proposals of the<br />
DPA in the new data protection regulation, it’s putting a lot of<br />
emphasis on the fact that in the past the data controller was<br />
ultimately responsible. Now the data controller and the data<br />
processor can also be held responsible. As Jeremy said, for once<br />
in your life you have to read the contract to see where your<br />
liability stops and starts. I think that if acquiring banks are going<br />
to write to their merchants or to use compliance validation<br />
portals to promote outsource solutions for tokenisation and<br />
point-to-point encryption and so on, they also need to promote<br />
the fact that outsourcing has risks and that needs to be in your<br />
risk dashboard and it needs to be fully managed.<br />
GT: Well that’s where we have to say: ‘Well done to PCI’ because<br />
it’s actually found a way to get that external provider audited on<br />
an annual basis and to ensure that they stay compliant between<br />
those two audit point. That’s probably one of the best things<br />
that’s happened within the security industry because now we do<br />
have a standard.<br />
JK: If you want to use a service provider who claims they are PCI<br />
approved, ask them for their certificate. If they have it they will<br />
give it to you because they’re pleased as punch to have it. And if<br />
they don’t give it to you, then you just go to another provider.<br />
“Make sure your provider is PCI approved. ”<br />
AY: I think that’s quite an important point to get across to<br />
the <strong>Retail</strong> <strong>Systems</strong> readers, because they won’t necessarily<br />
know what to look for. If you were going to write a list of the<br />
top five things you need to know about PCI, ensuring that<br />
your provider is approved or certified is probably up there<br />
at number one.<br />
roundtable<br />
JK: If you’re going to go and deal with a <strong>payments</strong> service provider,<br />
absolutely. Ask them to prove their credentials.<br />
AY: So, number one – PCI can be a hassle – outsource it. And<br />
number two – make sure your provider is certified.<br />
JK: Absolutely.<br />
CP: There’s three things that a merchant or a supplier should<br />
have; a certificate of compliance, an attestation of compliance<br />
and a ROC – record of compliance. This is very important. The<br />
middle one, the attestation of compliance is the jewel in the<br />
crown because no company will ever give you their ROC because<br />
that’s confidential information. The certification of compliance<br />
is just a certificate that the QSA can produce but the real gem,<br />
that PCI requires to be completed, is the attestation. It tells you<br />
exactly what has been audited, what has been assessed, even<br />
within the different environments.<br />
GT: And the same applies for tool lenders. And with the<br />
attestation comes an implementation guide which the QSA<br />
has written. So if you’re deploying a certain tool it tells you<br />
exactly how it needs to be deployed in your environment to<br />
remain PCI compliant. It’s not enough to say that you’ve got<br />
an assessed tool there; it’s only if it’s deployed in a certain way<br />
that it is compliant.<br />
RS<br />
June - July 2012 RS 37