XBS Global uses only products and services that meet the requirements put forth by the PCI Security Standards Council – a not for profit founded in 2006 by the payment brands. In addition, XBS incorporates state of the art technologies often used in tandem with PCI DSS standards, to provide a secure payments infrastructure and solve for many of the vulnerabilities in the payment processing chain.
Above and beyond PCI DSS
EMV – Europay, MasterCard, Visa are the developers of this now global standard to combat fraud and protect sensitive cardholder data when processing credit and debit cards in a card present (CP) environment. Referred to as smart card technology or chip and pin/chip and signature (customers must sign or enter a pin at the point of sale).
Chip or smart cards support dynamic authentication while the current magnetic stripe credit card maintains static data – easier to copy or steal with a simple card reading device. Payment brands have introduced compelling incentives for US merchants to update hardware for contact and contactless chip card acceptance, including -
Waiving PCI DSS audits for merchants who process at least 75% of their transactions with a EMV certified device
Shifting fraud liability from the processing bank to the merchant when EMV technology is not used for the transaction (effective Oct 2015 for retail merchants)
XBS Global places only EMV ready devices for merchants who process in a CP setting.
Encryption – End to End (E2EE) and Point to Point (P2PE) encryption in internet payment processing sets the standard for protecting data captured by the merchant and awaiting authorization. Seamless and invisible to the merchant and customer – card data such as the PAN (primary account number) is encrypted at the POS so it cannot be used or monetized if hacked. Decrypted by the processor, no data is stored on the customer servers or systems.
Encryption reduces the PCI DSS compliance scope of the merchant.
Tokenization - Encryption and tokenization solve for mutually-exclusive security weaknesses in the payments process. Tokenization solves the problem of storing and using real card data in business processes that are downstream from authorization.
Tokenization replaces a sensitive data item or high value credential with a replacement non sensitive value. In a payments environment, the purpose is to replace this sensitive data such as the PAN (Pin, SS#, CVV, etc.) with a surrogate that has no value outside of the environment.
Tokenization is a valuable tool in reducing the risk associated with a breach. Tokens can be stored and managed in the cloud or in a token vault or by a merchant.
For further in depth description of these technologies and their roles in protecting cardholder data for processing merchants XBS Global recommends a whitepaper by the Smartcard Alliance organization which can be found here.