PCI DSS outsourcing - Compliance Without EVER Touching Sensitive Cardholder Data

October 16, 2019

The next era of data security is already upon us, and it involves washing our hands of sensitive user data entirely.

Imagine a world where your business doesn’t have to worry about managing its own Payment Card Industry Data Security Standard (PCI DSS) compliance, simply because sensitive cardholder data never passes through your systems in the first place.

It’s a concept we call Zero Data.

Worrying about data breaches, obsessing over security controls and vaulting sensitive payment card data is no longer necessary when businesses embrace a Zero Data approach for their sensitive user data.

You may have already encountered something like this already.

Have you ever needed to send sensitive consumer information, like a Primary Account Number (PAN), to a third party that says they never store or transmit any payment card industry (PCI) data – yet still boast their PCI DSS compliance?

The Growing Stress of Modern Data Security Standards

These days, modern businesses must be very careful when it comes to their data security compliance management. From the California Consumer Protection Act (CCPA) to Europe’s GDPR framework, data-handling companies have to stay on their toes to make sure they are both achieving and maintaining their compliance status.

This often becomes an incredibly expensive endeavor. After all, sensitive information like credit card data flows through so many systems and touches so many third-party applications that figuring out how to design your information security controls can be wildly complex.

From hiring new team members to handle this task specifically, to reducing the bandwidth of existing information security team members by directing their attention to information security and meeting PCI DSS requirements, the time and human capital needed to become and stay PCI compliant is often much more than businesses first anticipate.

To put it simply: finding out where a company's sensitive data goes and trying to protect it all by yourself is usually more than business leaders want to deal with.

So, what’s the smarter, more cost-efficient path to take to become PCI compliant?

What about removing your business or service provider systems out of PCI DSS scope entirely?

It might sound impossible, but with up-to-date information security technology - like synthetic data aliasing - it is becoming a widely-used tactic for modern businesses and service providers that process cardholder data.

Out of Scope, Out of Mind

When businesses can ensure that no sensitive information, like customer credit card data, for instance, exists in one of their systems - then that system is completely out of scope for PCI DSS requirements.

After all, how can something be protected if it never showed up in the first place?

By descoping your secure systems from the requirements set by the PCI Security Standards Council, you can avoid having to worry about compliance entirely.

But companies need to collect, store and transfer sensitive data, like credit card data, to operate, period - so how can they still operate without access to that critical information?

The answer is the Zero Data approach - where businesses can use all the important sensitive information as they did previously without ever having that sensitive data pass through their network resources.

By teaming up with a trusted data security partner that enables Zero Data and descopes companies’ systems from PCI DSS compliance entirely, this is a simple and speed possibility.

Outsourcing Your PCI Compliance Worries

Thanks to an innovative new technique from Very Good Security (VGS), it’s fast and easy to minimize an online merchant’s PCI scope by taking sensitive data out of the equation - while still enabling businesses to collect and analyze all payment card information.

This means that companies can collect and treat sensitive information, like cardholder data, just as they did before without needing to ever touch the data themselves.

How is something like this possible?

By swapping out sensitive user data, in real time, with synthetic data called aliases, VGS compliance software enables online businesses to collect and process card payments from their users without ever letting the original data pass through their networks.

VGS takes care of all your organization’s data transmission and storage on your behalf – so you’re not in scope of protecting any sensitive data (because you aren’t holding any sensitive data in the first place).

But what is aliasing, exactly? Is it encryption or tokenization?

The answer to that question is neither, as VGS's aliasing technology takes information security a step further than both tokenization or encryption - two IT security techniques that are often considered to be the industry standard these days.

Tokenization vs. Encryption vs. Aliasing

When talking about cybersecurity, modern businesses often rely on two primary methods of data protection: encryption or tokenization.

What's the difference between encryption vs. tokenization?

Encryption sends data in an encoded format, which can only be solved with an encryption key that mathematically unlocks a highly-complex equation when it reaches its destination. The original sensitive data remains within the data element that is transferred, but is only decipherable using the correct encryption key.

Tokenization, on the other hand, swaps sensitive data with a nonsensitive, irreversible placeholder (the token) and safely vaults the original data until a tokenization solution swaps the token for the original sensitive information.

Both techniques have their own valuable advantages and unique drawbacks.
Tokenization is best used with structured data like credit card numbers or Social Security numbers, while encryption would be ideal for unstructured fields.

And where does aliasing fit in to all of this?

The aliasing technique that VGS Zero Data technology uses to protect sensitive data is neither encryption nor tokenization.

With sensitive information still vulnerable at the point of capture and the data vault, tokenization still puts businesses in scope for PCI compliance.

To improve upon this system, VGS developed a platform that would avoid sensitive data touching an organization's systems entirely while making the original data completely usable as if it was in its raw form.

Aliases are synthetic data placeholders generated and switched out in real time, so that original sensitive data does not flow through a business' networks at the point of capture or during the vaulting process.

Aliases enable VGS to collect, store and transfer sensitive data on behalf of a business, with the aliased data usable in the same way as the original data - and their development team doesn't need to change their applications (as is needed for tokenization).

Moreover, aliasing enables companies to save time and resources that would have been dedicated to developing their own security policy and managing their own security systems, all while effortlessly meeting all necessary compliance requirements.

Benefits of Going Zero Data

By leveraging VGS’ data aliasing technology, businesses reduce their PCI responsibilities from over 300 requirements to just 20 – radically slashing time and resources needed to obtain PCI Level 1 Compliance.

Typically, achieving PCI Level 1 Compliance is a process that takes up to twelve months to complete. With VGS, however, onboarding and full PCI compliance can be reached in under four weeks.

Separating business functionality from information security greatly reduces scope while freeing up time and financial resources to focus on what truly matters: growing your online business.

Apart from saving a substantial amount of time and human resources, businesses can also boast their PCI compliance level - which they “inherit” from VGS without ever having to really do anything themselves.

Ready to forget about your PCI DSS compliance concerns and leave it in the hands of a trusted data security partner? Contact VGS here.

Stefan Slattery Stefan Slattery

Product Marketing Lead


You Might also be interested in...


With CCPA amendments finalized, here’s everything you need to know about proposed verification rules

Channin Gladden October 17, 2019


Zero Data Hero Customer Spotlight - Seekom

Stefan Slattery October 8, 2019


Zero Data Hero Customer Spotlight - TravelBank

Ena Kadribasic September 24, 2019