De-scoping PCI Compliance

Utilizing Tokenization to Reduce Scope and Achieve PCI Compliance

Descoping a data environment to achieve PCI compliance is often the primary goal of entities subject to the PCI DSS. Several methods exist for achieving this, but one of the easiest and most common is to outsource the management of sensitive data, removing it from an environment entirely. By outsourcing the handling of sensitive data to security experts, companies can reduce compliance and operational costs while minimizing the risk and liability associated with a potential data breach.

An effective example of this outsourcing is the employment of cloud-based tokenization. This tokenization implementation can dramatically reduce the PCI scope for a merchant by removing sensitive data from an environment and storing it in a secure, cloud-based token vault. The simplicity and flexibility of this solution eases the burden on the merchant while simultaneously offering a more affordable compliance solution.

How Tokenization Helps

Tokenization is the process of converting sensitive data into nonsensitive data, resulting in the creation of a token (a piece of undecipherable placeholder data). The sensitive data is then securely vaulted and cannot be detokenized (returned to its original form) without the token and additional security information from the customer. Once data is tokenized, it can travel through your environment without bringing into scope any of the devices that store, process or transmit the token.

However, simply tokenizing data is not a comprehensive prescription for scope reduction. It’s also important to consider the type of tokenization, where it’s occurring and where the sensitive data is being stored. To ensure compliance and maximum scope reduction, you want to tokenize data before it enters your environment – preventing the introduction of PCI and other cardholder data – and store it in a secure place outside of your system. Cloud-based tokenization does just that.

Strategies for Scope Reduction

The first step toward successful scope reduction is properly identifying where payment card data enters your system and interacts with your environment. Once the data sources are identified, the next concern is tracking the sensitive data as it moves through your system, ensuring it’s not being stored anywhere. If you can avoid storing payment card data in your environment, you can completely eliminate PCI DSS Requirement 3 from consideration. (For a list of PCI requirements, check out our PCI Compliance Checklist blog.)

Another scope-reducing strategy is to push your boundary of PCI exposure outward. Techniques such as edge tokenization and the TokenEx iFrame accomplish this by tokenizing data early in the payment card acceptance process. Edge tokenization occurs at the load-balancer level, descoping the entire environment beyond that point. The iFrame captures and tokenizes sensitive data directly from the interface of a customer’s payment browser window, preventing payment card information from ever entering your environment.

Of course, not all environments and acceptance channels are the same, and different setups require different scope-reducing strategies. With this in mind, TokenEx offers a variety of flexible, easy-to-integrate solutions to meet the diverse needs of the payment industry. Here’s a summary of our services for PCI compliance and how they can help:


TokenEx’s iFrame solution provides a 100 percent fully managed card-acceptance channel. The fields of the payment form accepting the primary account number and sensitive authentication data are delivered to the consumer’s browser directly from TokenEx. Payment card data is then stored, processed and transmitted entirely within TokenEx’s secure environment, thereby fully removing your entire network and systems from PCI scope.

Browser-Based Encryption

TokenEx’s browser-based encryption implementation model allows ecommerce payment card data to be secured before it ever leaves the customer’s system. This allows for maximum flexibility and smooth integration. Although the web server is still partially responsible for securely processing cardholder data, which means it’s technically in scope, the merchant no longer receives unencrypted payment card data.

Edge Tokenization

TokenEx’s edge tokenization uses the scripting capabilities of load balancers to inspect and modify HTTP content on its way to an application, telling it how to identify sensitive data and what to do with it. As a credit card number travels through a load balancer, the load balancer identifies the credit card number and makes an API call to the TokenEx platform to tokenize it. TokenEx will then return the token to the load balancer, where it is then sent to the intended destination application. By tokenizing sensitive data before it enters your environment, all assets downstream from the load balancer are out of scope.

Point-to-Point Encryption

TokenEx’s integration with P2PE payment terminals allows payment card data to be captured and encrypted at the point of interaction, fully encrypting card-present and telephone acceptance channels from end to end. In this secure deployment model, merchants do not have access to payment card data or decrypting keys, so their systems and networks are not within PCI scope and control requirements. TokenEx provides integrations with most payment terminal vendors and models. Merchants using P2PE terminals for payment card acceptance may qualify to use the NESA (Nonlisted Encryption Solution Assessment) process.

Virtual Terminal

TokenEx’s virtual terminal allows merchants to access TokenEx’s data-vaulting capabilities through a standard web browser. Brick-and-mortar (card present) or mail/telephone (card-not-present) acceptance channels can directly tokenize payment card data as it is captured, thereby eliminating the need to store payment card data. TokenEx’s virtual terminal is provided and fully hosted in a PCI DSS validated environment.

API and Batch

TokenEx’s data-vaulting API and file-based batch tokenization services provide the merchant with the ability to fully integrate tokenization into any environment. This gives our customers freedom and flexibility to choose when, where and in what format tokenization occurs within the payment flow. Data vaulting cardholder data greatly simplifies PCI’s stringent data storage security requirements while at the same time significantly reducing the risk of data breaches.

Key Takeaways

Tokenization, specifically TokenEx’s platform, is an extremely versatile and effective solution for reducing PCI scope. We save our customers time, money and the hassle of self-managing and -maintaining a secure environment. With our flexible solution, you can count on seamless integration with your system, the support you need to implement it confidently and the functionality you’d expect from a leading tokenization service.

To learn more about tokenization, reducing PCI scope or how TokenEx can help you to secure any sensitive data set, contact us at


Keep Up With Our PCI & Privacy Blog