A portion of this post originally appeared on the Corevist blog.
Richard McCammon, founder, and Craig Lehtovaara, VP of Product Innovation, sat down with Corevist to help educate B2B decision-makers on PCI compliance and what it means for them, particularly as it relates to B2B payments. The expert panel was asked the following questions:
- What trends do you see in PCI compliance for B2B?
- What’s one thing that you wish SAP manufacturers knew about PCI compliance?
- Are there any PCI compliance issues which you feel are “hot” in the B2B market that you want to address?
Here’s our insight to question 1.
What trends do you see in PCI compliance for B2B?
Privacy rules will begin to creep into the PCI standards. Currently, the standards protect cardholder data which, by definition, means the Primary Account Number (PAN) (i.e. card number), the cardholder name, the service code, and the expiry date. According to the standards, these last three data items must only be protected if stored with the PAN. Privacy regulations in many jurisdictions (the European Union and Canada being good examples), have established standards for the protection of personal information which includes other identifying data points such as government identification numbers, personal addresses, date of birth, telephone numbers, bank account numbers, etc. Many of these, such as address, are used when processing credit cards. In order to support card payments and these new privacy regulations, the PCI standards will expand to include personal information that pertains to payments.
As PCI DSS has evolved over the years, it has increasingly become a material component of many budgets. The 3.x release of the specification was more substantial than its predecessor, and it left many IT departments scrambling to bring previously (thought to be) out-of-scope systems into compliance. Many CEOs and CIOs are looking for ways to reduce their rising compliance costs without compromising on security. At Delego, we’ve notice three notable trends in the B2B space to reduce PCI DSS scope to mitigate compliance costs.
- Reducing PCI DSS scope by isolating payment card data entry to the cardholder and only using payment tokens in merchant systems.
By implementing systems that allow the cardholder, and only the cardholder, to enter plain-text cardholder data into secure, PCI compliant, Payment Service Provider hosted payment forms, merchants can remove their B2B eCommerce portals from PCI DSS scope with eWallets and tokenization. For eCommerce merchants who self-assess, this is particularly relevant since the publication of SAQ A-EP. Being able to self-assess using SAQ A instead of SAQ A-EP is an advantage of having to assess a subset of two requirements instead of a subset of all 12.
- Using Accounts Receivable Self-Service and Enterprise Bill Presentment and Payment Portals
Many merchants are achieving significant cost savings on PCI compliance costs, reducing B2B payment costs, and improving data security by transitioning traditional B2B AR processes over to self-service portals and Enterprise Bill Presentment and Payment Portals. These portals permit the cardholder to pay outstanding open items on their account without ever exposing payment card information, much in the same way we have come to expect in B2C channels. Since these B2B portals also leverage PCI compliant, Payment Service Provider hosted payment forms, merchants can remove them from PCI scope as well.
- Implementing a Point-to-Point Encryption (P2PE) certified solution in their Payment System Architecture to remove payment card data entry from employee workstations
Another trend that we’ve observed here at Delego is the increasingly rapid growth of P2PE solutions in B2B. When version 3.0 of the PCI Data Security Standard was released, many merchants saw previously out-of-scope employee workstations brought into scope by their security experts and QSAs. These workstations can potentially be very difficult to bring into PCI compliance. Even worse, it can be very difficult to effectively secure them from Trojans and viruses, particularly key loggers. As a response to this threat, many merchants are implementing P2PE solutions, to remove credit card data entry from the employee workstation and migrate it to a secure hardware device, such as those we’ve grown accustomed to in retail channels.
Follow our blog and stay tuned for Part 2 and Part 3. We’ll discuss what we wish B2B companies knew about PCI compliance, and what we consider to be hot issues in PCI compliance in the B2B market.