Share this with your colleagues

How to make tea without boiling the ocean: When User Experience, Strong Customer Authentication and the Payment Card Industry’s security standards go hand in hand

As a platform, MishiPay operates across multiple retailers, many with their own payment gateways and acquirers.  For shoppers to use our application seamlessly – to enter credit card details in one store and use those same details in another, regardless of gateway, MishiPay has to store those card details – creating a challenge under the Payment Card Industry’s Data Security Standards (PCI-DSS).  This article explores how we’ve achieved a great user experience and streamlined Strong Customer Authentication without increasing our (and your) PCI scope by adopting TokenEx as our tokenisation vault and a new payments platform.

 

For those in the know, PCI-DSS is all about scope.  The more systems cardholder data touches, the tougher things become.  Further, requirement 12.8 states that any entity involved in payment card processing, including merchants, processors, buyers, issuers, and service providers, must have policies and procedures in place to manage their service providers.  This puts the security of any third-party system such as MishiPay front and centre in the eyes of the merchant.   Getting PCI-DSS right, however, simplifies that footprint.  Reducing or eliminating the storage of cardholder data reduces the number of controls and complexity for MishiPay as a platform, and it also does the same for the Merchant under requirement 12.8.

 

As a platform, MishiPay works with multiple merchants across the globe, connecting shoppers to those merchants – in-store with our Kiosk and Scan and Go solutions as well as out of the store for Order Ahead, Click & Collect and soon Delivery To Home.  Some merchants are happy to work with our payment gateways of choice, while others are keen to retain the relationship and commercial arrangements with their incumbent supplier.  Shoppers, therefore, would traditionally be greeted with the payment page of the store they were visiting to complete the transaction.

 

As the number of stores increased we inevitably saw different merchants offering MishiPay in the same town or city.  This could be confusing for shoppers, forcing them to use different looking card-entry screens and entering their card details twice.  Worse, some merchants operate with unique Merchant IDs (MIDs) for each store. This means that a card saved against retailer X could not be recalled further up the road in the same retailer brand.

What was needed was a safe way to store cardholder data across all PSPs (Payment Service Providers) without exploding our PCI scope.

Tokenisation (changing the card number to a unique sequence which is not the original card number) effectively eliminates the need to store raw card numbers.  We were already very familiar with tokenisation; most PSPs support it, however tokens produced with one PSP are rarely compatible with another.  Furthermore, there are PSD2 rules around the storage of cardholder data for future use, which means strong customer authentication came into play.

 

We looked at a number of providers and settled on TokenEx, one of the longest established card tokenisation providers in business today.  We also took the opportunity to modernise and re-write our payments platform, for which there were multiple drivers: firstly, working with multiple PSPs had resulted in a fairly unstructured approach to handling the various responses.  Secondly, the implementation of strong customer authentication was inconsistent across all providers and it was necessary to upgrade to support the latest standards (3DS 2.x).  Finally, tokenising cards for re-use has very specific requirements around strong customer authentication.  A new payments platform could be engineered to meet all of these requirements, and more as new PSPs were added in the future.

 

TokenEx provides MishiPay with a standard set of iFrame based and native (iOS and Android) card data entry forms.  This ensures that all cardholder data is sent securely to TokenEx’s PCI Level one European datacentres.  Our backend servers then receive the card tokens which can then be used to make payments.  These tokens are sent via the TokenEx transparent gateway to the PSP in question, and this converts the token into a raw PAN.  At no time can any MishiPay staff or systems gain access to that PAN.  Strong Customer Authentication is used on the very first journey to ensure that the card does indeed belong to the shopper before it is stored.  Our payments platform ensures that this whole process is handled seamlessly regardless of whether you are running on one of our native apps or visiting from a mobile browser.

 

Business benefits are clear: our new PSP-agnostic payments platform allows merchants to onboard faster (typically within 1-2 weeks) and without concerns on PCI scope.  Shoppers have a more seamless card entry experience, and can use their saved cards across all stores without having to re-enter their information (only their CVV, which is never stored).  Strong Customer Authentication is applied in a structured manner which means around 40% fewer soft declines alongside reduced likelihood of fraud.

 

Getting the User Experience right can often be a challenge, particularly in the light of regulatory requirements such as PCI-DSS and PSD/2.  In this case we were able to engineer in the best of breed solutions needed to simplify PCI-DSS and reduce the impact of Strong Customer Authentication.

If you would like to discuss how MishiPay can securely improve the payment journey in your stores, please contact us. 

 

[contact-form-7 id=”20424″ title=”TokenEx White paper Request”]

Continue reading