Browser Based Encryption vs. Hosted Tokenization Page – An Issue of Control


Browser Based Encryption vs. Hosted Tokenization Page – An Issue of Control

While E-Commerce tokenization solutions reduce the cost and scope of PCI compliance, a more important benefit is they remove toxic data from your environment, so that when a breach does occur, the result is simply: No Data, No Theft. But would it be even better if your E-Commerce tokenization solution never touched your data environment at all, thereby reducing PCI compliance for the checkout page to almost nothing? You really can achieve SAQ-A or SAW-A-EP compliance with a true cloud tokenization solution. TokenEx distinguishes its tokenization for E-Commerce with flexible Hosted Payment Solutions. 

Hosted Payment for PCI Scope Reduction

TokenEx provides two customizable solutions to reduce the scope of PCI compliance for checkout pages. Depending on the desired level of control over your checkout process, you can choose Hosted Tokenization Page (HTP or iFrame) or Browser-Based Encryption (BBE). Both TokenEx ecommerce web solutions significantly reduce the scope of PCI compliance starting at the critical payment page of the checkout process, keeping sensitive data from passing to your internal IT systems.

The TokenEx Hosted Tokenization Page (HTP) and iFrame solutions provide the maximum amount of PCI scope reduction. HTP can help a merchant achieve SAQ A, while BBE is eligible for SAQ A-EP. If you have multiple acceptance channels other than web checkout, you may not be able to use these exact SAQ’s, but you can still realize significant scope reduction. Below is a graphic from our website that provides a visual representation of PCI Scope reduction. You can find details about our HTP and iFrame solutions here.

PCIDSS-Requirements-TokenEx-01.png

Browser Based Encryption

If you need to keep all processing of customer transactions in your own web server instead of using TokenEx to host the payment processing, but still want to tokenize the payment and PII data, you can choose to implement tokenization using our Browser-Based Encryption. BBE pushes the tokenization of payment data all the way to each customer’s browser. Using strong RSA public-private key encryption at the browser level provides an additional shield to protect the payment data before it is tokenized.

Choosing E-Commerce Tokenization Solutions

With our existing customers it seems like the driver for picking BBE over HTP is the “control” aspect over the checkout page and sensitive data. However, as your control increases, so does your compliance obligation. For example, with BBE you are in complete control of the checkout process and are able to make changes to your application as fast as your internal Software Development Life Cycle (SDLC) allows, but subjects you to more PCI requirements. Using TokenEx HTP you forfeit some degree of control over making rapid iterative modifications to the page, but HTP provides a greater reduction in PCI scope, since you no longer are hosting the page that accepts sensitive data. TokenEx can modify the hosted checkout page according to your specifications in accordance to our stated SDLC—which is designed to maximize security. However, some of our E-Commerce customers want to make changes faster than our SDLC will permit, so either the iFrame or BBE solutions meet their needs.

Weighing Risk and Security

I feel that both the hosted and BBE solutions address the same risk and security concerns, since they keep the clear text PAN out of your web servers. With BBE, only the encrypted PAN flows through your web server before being tokenized, but unless an attacker could possibly break RSA 2048, the risk is greatly minimized. Using BBE in your web store is akin to the cipher text flowing through your call center with a P2PE device. Side note: If they can crack RSA 2048, I bet they’d have bigger targets in mind than your web servers. 

Flexible Hosted Payment Solutions

A hosted payment page needs to be flexible enough to interface with your other E-Commerce partners, such as a fraud detection service or marketing analytics provider. The TokenEx Cloud Security Platform has the capability to pass payment information to your partner vendors so they can work in concert with your overall shopping experience. For example, as your customer fills out the payment form, the credit information can be passed to a fraud detection partner, the transaction risk is rated, and a score is sent back to you via TokenEx to help decide authorization. Your systems never capture or store any payment information, just the tokens, keeping them outside the scope of PCI compliance.

TokenEx is committed to securing all types of sensitive data with unlimited flexibility to meet our customers’ business needs. Contact TokenEx to learn how to keep your organization’s sensitive data secure while reducing the costs of payment tokenization and PCI compliance.

 

Topic(s): payments , data security , PCI DSS , encryption , tokenization

Keep Up With Our PCI & Privacy Blog