While we have always known that EPX tokenization solutions reduced the level of merchant risk, now we can say with certainty that they also reduce the level of PCI DSS assessment scope for merchants.
Electronic Payment Exchange (EPX), a full-service payment processor that introduced payment data tokenization solutions to merchants in 2001, announced today that the Payment Card Industry Data Security Standards (PCI DSS) Tokenization Guidelines released on August 12 affirm that EPX’s free, outsourced tokenization solutions can eliminate the scope of PCI compliance for merchants.
According to the PCI DSS Tokenization Guidelines, “The key for merchants wishing to reduce their PCI DSS scope is to not store, process, or transmit cardholder data.” As a global payment processing organization providing hosted services that use both tokenization and end-to-end encryption, EPX enables merchants to eliminate cardholder data storage, processing, and transmission by outsourcing their payment processing and the related storage of cardholder data. Using encrypting cardholder data reading devices at the point of swipe, EPX prevents merchants from possessing unencrypted cardholder data at the initiation of a transaction. Applying EPX BuyerWall-based tokenization during subsequent processing steps ensures merchants can’t (and don’t need to) store any cardholder data in their systems. Instead merchants receive tokens, i.e. replacement values, for each transaction that are meaningless in the event they are lost or stolen. EPX provides both tokenization and end-to-end encryption services to its merchants without cost.
The PCI Security Standards Council’s tokenization guidelines are a welcome addition to the body of guidance that recognizes the value of this approach to reducing merchant risk, but merchant concerns regarding storing credit card data did not begin with the formation of the PCI Security Standards Council in 2005. “With our tokenization solution, EPX has freed merchants from the liability of storing credit card data since well before the PCI Council was formed,” says EPX Chief Security Office Matt Ornce, who was instrumental in developing the EPX BuyerWall tokenization technology. “Visa’s best practices document, issued in 2010, also validated EPX’s long-standing approach to tokenization, and we are delighted to see that the PCI Security Standards Council is now officially recognizing the value and security of tokenization solutions.”
“We have fielded the question of PCI DSS scope reduction hundreds of times,” continues Ornce. “While we have always known that EPX tokenization solutions reduced the level of merchant risk, now we can say with certainty that they also reduce the level of PCI DSS assessment scope for merchants.”
In addition to listing the merchant responsibilities involved with implementing and using tokenization solutions, the PCI DSS Tokenization Guidelines establish the responsibilities that apply to EPX as the tokenization service provider. Acting as security and cost-reduction advocates, EPX follows all of the guidelines – including meeting all applicable PCI DSS requirements, supporting merchants’ PCI DSS compliance efforts, and helping merchants minimize their needs to store or access cardholder data – and reduces merchant burdens and costs associated with gaining and maintaining PCI DSS compliance by providing hosted, tokenization-based payment processing solutions.
About Electronic Payment Exchange
Founded in 1979, Electronic Payment Exchange is the global, industry-leading provider of fully integrated, end-to-end payment solutions for merchants across all distribution channels. EPX offers a full range of tokenization-based payment processing services for leading merchants, retailers, etailers, and banks in the United States, Canada, Europe, Latin America, and the Caribbean.
EPX is a participating organization of the Payment Card Industry Security Standards Council. EPX is PCI v1.2 compliant, a VISA USA Cardholder Information Security Program (CISP) Compliant Service Provider, and a MasterCard Site Data Protection (SDP) Compliant Service Provider.
For more information about EPX, visit http://www.epx.com or contact EPX at 302-288-0600.