What is the difference between "de-retention of card information" and "PCI DSS"? Security measures that e-commerce merchants should choose

For merchants who operate e-commerce sites, how to protect the credit card information of end users is one of the most important issues that affect business continuity. According to the revised Installment Sales Act that came into effect on June 1, 2018, and its practical guidelines, the "Credit Card Security Guidelines", e-commerce merchants are required to take appropriate security measures.

Specific measures to address this issue include "non-retention of card information" and PCI DSS compliance. In this article, we will explain the differences between these two mechanisms and what to keep in mind when introducing each.

Do you want to "protect your own card information (PCI DSS)" or "don't have it (not keep)"?

Credit card payment is a major payment method on e-commerce sites, but you still need to be careful about card information leakage. In the unlikely event that information is leaked from the merchant's environment, it can lead to enormous damages and loss of brand image, which can affect the survival of the business.

To prevent these risks, the Credit Card Security Guidelines require merchants to complete one of the following measures:

1. PCI DSS compliance(the path to keeping information in-house and following strict rules)
2. Non-retention of card information(a way to make the company not have any information at all)

Understanding their definitions correctly is the first step to an optimal security strategy.

1. PCI DSS Compliance: An international standard for "securely managing and retaining" information in your environment

PCI DSS (Payment Card Industry Data Security Standard) is a "global security standard (rule)" for card information protection jointly formulated by five international card brands.

• Eligibility: All merchants who store, process, and pass credit card information on their own devices and networks.
• Requirements: Since you own your own information, you must meet detailed security requirements based on 12 requirements, such as building a strong firewall to protect it and encrypting data at rest.
• Ongoing Burden: Ongoing capital expenditures and expertise to maintain compliance, such as annual visits (or self-interviews and SAQs) and quarterly vulnerability scans.

This is an essential process for large-scale e-commerce sites with their own advanced system requirements, as well as merchants who want to centrally manage card information in their own database.

2. Non-retention of card information: A state of "no information" in the company's environment

On the other hand, non-retention is not a specific rule or standard, but a state in which credit card information is not "stored", "processed", or "passed" on the equipment or network owned by the merchant.

• Importance of definition: The most important thing to keep in mind here is "don't let it pass". Even if the card number is not recorded in the database, if the card information entered by the end user passes through the memory of the merchant's web server or is recorded in a log file even for a moment, it is considered "retention".
• Why is it not covered by PCI DSS? If you can achieve a configuration that does not store, process, or pass card information in your own environment, you may not need PCI DSS support for your own environment. You are exempt from the obligation to comply with PCI DSS in your own environment. This is because strict measures such as card information processing and protection are entrusted to "external specialized systems that comply with PCI DSS (payment processing company companies, BPO operators, fully managed SaaS, etc.)", and the company "does not have the object (card information) to protect in the first place". However, it is still necessary to confirm the division of responsibilities with the subcontractor and implement the measures required by the company.

Which method to choose depends on the merchant's system configuration, resources, and operational objectives, so please consider appropriate responses.

A concrete approach to achieving "non-retention"

So, how can we achieve non-retention that does not even allow information to "pass through"? Depending on your business model and order channels, there are mainly the following approaches.

1. payment processing company Implementation of solutions provided by the company (web orders)

The most common type of e-commerce site built in-house is de-retention using a connection method provided by a payment processing company company such as GMO-PG.

• Token (JavaScript) payment: The card information entered by the end user on the payment screen is sent directly from the browser to the payment processing company company without going through the merchant's server, and converted into another meaningless string (token). Since only this "token" will be sent to the merchant's server, you can freely design the checkout screen design and user experience (UX) in-house while achieving non-retention.
• Link (screen transition) type payment: This method is a method of transitioning to a high-security payment-only screen prepared by the payment processing company company at the timing of payment. The payment system requires the least amount of renovation manpower on the merchant's side, and it is easy to achieve reliable non-retention.

2. Approach to utilizing external specialized systems

payment processing company In addition to using the company's connection method, there are the following methods that do not allow information to pass through to the company.

• Utilization of ASP/SaaS cart systems: This is a method of using platforms that have built-in non-retention in the construction of e-commerce sites.
• Utilization of BPO (Outsourcing): This is a method of outsourcing the entire call center and paper order work to an external professional contractor that complies with PCI DSS.
• Introduction of dedicated payment terminals (CCT terminals, etc.):This is a method of communicating directly from the dedicated terminal to the payment network without going through the company's network at all.

By properly incorporating these mechanisms into their operational flows, merchants can achieve non-retention across all channels.

It doesn't end with non-retention. Next Security Measures

So far, we have explained non-retention and PCI DSS to "protect card information itself (prevent leakage)", but in fact, this is not the only measure required by the "Credit Card Security Guidelines".

After taking all measures against information leakage, it is mandatory to take the following two more measures.

1. Credit card fraud measures (EMV 3-D Secure, etc.)Even if you have measures against leakage, this is a measure to prevent "spoofing damage" in which a third party tries to shop on the merchant's site using card information illegally obtained elsewhere. In principle, e-commerce merchants are required to implement EMV 3-D secure and implement appropriate unauthorized login countermeasures.
2. Vulnerability countermeasures for e-commerce sites Thisis a measure to prevent cyber attacks that exploit systemic gaps (vulnerabilities) on websites.

*EMV 3-D Secure is also introduced in the following article.

Experience and Actual: Build an optimal security environment and focus on your core business

payment The important thing in selecting a system is not just whether it can be de-retained. It is essential to have processing speed that does not reduce the desire of end users to purchase, and to have a stable system that can withstand the concentration of access in the event of an emergency.

The "PG Multi-Payment Service" provided by our company provides connection methods that support non-retention, such as Tokenization and link-type payment. In addition, the OpenAPI type can improve the efficiency of development and operation by complying with web standards and using it in conjunction with existing connection methods

Summary: Optimal selection according to the business phase of the merchant

Protecting credit card information is an unavoidable issue when running an e-commerce business based on the Installment Sales Act.

Do you want to build your own advanced requirements and follow the path of "PCI DSS compliance", or do you choose to use specialized systems and choose a "non-retained" state? Whichever technique you choose, it's essential to have a robust and reliable payment foundation behind it.

With a solid foundation and Actual to support the payment of many merchants,GMO-PG, which continues to be fully PCI DSS compliant, supports merchants' safe business development. Please feel free to consult with our expert staff first about the optimal non-retention method according to the merchant's site configuration.

Contact us here