Secure DataVault for storing credit card details - PCI DSS

Question

I have been reading a few articles which describe using a Datavault and tokenisation to reduce PCI DSS burden.

My question is, are there any companies that offer to store data like credit card information securely in exchange for a token and do they offer the ability to then view the data by authenticating yourselves and providing a a token back to them?

Would this setup be PCI DSS compliant?

Answer 1

There are third party services like Spreedly that can help you. However the key point is that you can't see the raw card data. Once you do that (view it) you're in full PCI compliance scope with removes a large part of the value proposition that you had in mind when using a third party service to do tokenization. Spreedly does have a PMD offering which will let you pass the raw CC data to a third party API you designate so that may solve the problem.

Answer 2

What happened to PayPal? They are recognized globally, use them to your advantage. They have the SDK's to allow interaction with the Paypal processing server...

@KSS: ok, fair enough, but you would be removing yourself the burden in terms of security which would be offsetted by the cost of the additional fees, on one hand, additional fees, on the other, security issues governing storage of credit card processing....that's what Paypal does, sure the fees may be expensive but that would long-term save you the cost of security headaches and grief (which can run into thousands of USD, getting certified, security certificates, uptime, server costs etc)

Answer 3

The companies you're referring to are commonly called Payment Service Providers (or PSP's) and examples would be SagePay, PayPal, Authorize.net etc.

These companies generally don't just act as a datastore, they also allow authorization and settlement of the card payment. You store only a token id on your side, and use the token id to request authorization/settlement/refund etc as required. Getting the card details back from the PCI compliant provider is not possible as it would compromise their PCI compliance.

Using a PSP alone will not magically make you PCI compliant, but it will make it significantly easier, as it removes all the burden associated with storing of card details. You will still have areas of PCI that you will need to comply with though, mainly regarding transmission of card details to the PSP.