What are the 3D Secure 2.0 Exemptions?
When shopping online or over the phone, has anyone ever wondered how secure their credit card data really is? Typically every consumer wants to believe that their data can not be compromised but how can they be sure? In order to answer these question, there are a few things that consumers need to know.
First off it’s important to understand that all companies that accept credit card data must follow strict guidelines, known as PCI compliance. There are many ways for a company to become PCI compliant for example they can do it themselves however it is extremely costly and time-consuming. Even if only one question is missed the company is no longer PCI compliant. Another way a company can become PCI compliant is by partnering with a payment gateway and have them store the cardholder data instead. That sounds like it solves a lot of problems because the organization is no longer responsible for storing the credit card data. In its place, they are given what is called a token, which is a set of numbers used to identify the card through a specific payment vault. If the token is taken by someone for a malicious reason there is no way to compromise the card itself because the token can not be decrypted. Although a token replaces the credit card, the company is still responsible for collecting all the credit cards first, in order to send them to the payment gateway to be stored. During this time the card can still be breached if the company is not careful enough, which puts not only the customer at risk but also the company. So what is the best solution for PCI compliance? The solution is partnering with a PCI host, these companies are 100% PCI compliant and have PCI solutions using IVRs and IFRAMEs. These solutions ensure that companies are not responsible for collecting, handling and storing cardholder data at any time. This makes PCI compliance much easier for companies, giving them time to focus on their services and products while still knowing that their customers are safe from credit card fraud.
How does collecting data work through a PCI host, well that’s simple? Data can only be collected for online shopping carts/e-commerce and call centres through a 3rd party PCI host. Call centre’s use what’s called an IVR, which is an example of a computer–telephone integration. This can be implemented by a third party which is then used to collecting credit card data by communicating through dual-tone multi-frequency signalling (DTMF). Once the card number has been collected, the IVR can then turn the card number into a token and send the token back to the company, along with the results from the payment. Online shopping carts work in a similar way, however, they use what’s called an IFRAME which is an HTML document embedded inside another HTML document that originates to a different domain. This can be used by a PCI host to insert a shopping cart within the website, and have the customer’s card information sent directly to the PCI host servers instead of the company. Just like the IVR the IFRAME will then tokenize the card number and return that to the organization along with the results of the transaction. Once the cardholder data is collected by the 3rd party it is then stored in a payment vault by the PCI host and can only be accessed if the token is given by the organization to process a payment. This solution makes PCI easier and more cost-efficient for all online and call centre organizations, Allowing customers the trust they need to continue working with the companies.