A More Efficient PCI Compliance Process

April 25, 2012

There’s no question that data security is a significant risk in online retail. Given the threat posed to payment card users by these attacks, it is no surprise that the payment card industry has responded with the stringent data processing and storage requirements spelled out in the Payment Card Industry Data Security Standards (PCI DSS).

The Datalex Travel Distribution Platform (TDP) is an e-commerce retail platform for leading airlines and travel distributors around the world. This highly available, PCI compliant, hosted infrastructure delivers shopping, reservations and reward offerings to approximately 95 million travelers worldwide each year.

As such, we continue to look at new innovative and effective approaches to provide the level of security our customers and travelers expect while making sure the solution was flexible enough to meet the demand of travel retailers in a cost-effective manner. On review of our process with our PCI Qualified Security Assessor (QSA), we found that wrapping our TDP services with a PCI-compliant tokenization service allowed us to focus compliance efforts providing a more flexible framework for the introduction of new functionality and integration of third party services.

TOKENIZATION

We created the Datalex Tokenization System, a storage and transmission system that wraps around TDP and handles and stores all payment card data, isolating that data from other TDP services. By making the Datalex Tokenization service fully PCI-compliant we are able to maximize security for traveler information. The Tokenization service intercepts payment card data at the point it is entered by a traveler and then passes a token to other TDP services to represent the stored data. For enhanced security, the token is simply a randomized value that replaces the payment information but does not contain any sensitive data itself. Any TDP service can use the token to confirm that the data has been entered and approved.

When the sensitive information is needed by a third-party system, TDP sends the token which is intercepted en-route by the tokenization service and replaced with the appropriate information. TDP retail services can easily use the tokenization service to integrate securely with third-party systems. This new approach was validated in August 2011 when the PCI Standards Counsel issued this report formally endorsing our approach to Tokenization as an effective compliance tool.

Will Gordon, Datalex Information Security Manager and Ken Labach, Datalex Counsel.