Securing critical data and enabling multiple payment processors

As a former PCI Qualified Security Assessor, Papaya Gaming Chief Information Security Officer (CISO) Michael Abramov knows the challenges of storing sensitive payment information. Especially since the time and effort of PCI compliance audits can take away from other pressing security issues.

“I’m always balancing compliance requirements with security requirements and procedures,” Abramov said. “We want to focus on securing our data and securing our users, and not spend all our time just on compliance processes.” 

In his role as CISO, a big part of compliance is ensuring that Papaya follows the Payment Card Industry Data Security Standards (PCI DSS). These standards ensure that customer payment information is handled safely and securely.

Working with TokenEx gave Papaya an easy solution to address PCI DSS concerns. Payment information could go directly to TokenEx and then to their payment processors. None of its customers’ payment information would be stored in their internal systems. 

One immediate benefit of working with TokenEx is the reduced effort for PCI audits. “Our scope for the PCI audit will be really small,” Abramov says. “We don’t need to meet all the requirements because we are not storing any sensitive payment information. We don’t store the cardholder data, and the payment processing goes through TokenEx.”   

If Papaya weren’t using TokenEx and had to store this sensitive information in their internal systems, it would be a significant and costly change to their infrastructure. According to Abramov, “We would need to change our whole environment, hardening all of our servers and enabling a lot of monitoring. And meeting these PCI requirements alone would take away from other security-related initiatives.” 

Finally, working with TokenEx allowed Papaya to easily work with multiple payment processors. With TokenEx, there is a single token that can be used across all of its payment processors. And it gives Papaya the flexibility to easily add new processors in the future if needed.

Papaya utilizes the TokenEx Mobile API to capture sensitive data in its mobile application. When a customer using the app provides credit card information, this information is sent directly to TokenEx. TokenEx stores the data and returns a non-sensitive token to Papaya. This ensures that payment information never enters their internal systems, drastically reducing their PCI scope.

When Papaya needs to charge a customer, they send the token for that customer to TokenEx. TokenEx detokenizes the payment information and sends it to the appropriate payment processor. Since the TokenEx token isn’t tied to a specific payment processor, it works with all of their existing payment processors and gives Papaya the flexibility to work across multiple payment processors.