Payment Card Industry Compliance
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organisations that handle credit cards from the major card schemes. All Program Managers who handle customer card data must be compliant with this standard. See: https://www.pcisecuritystandards.org/pci_security/
If you are not PCI DSS Level 1 compliant, you are not able to retrieve the full PAN from the Thredd platform. In this case, Thredd provides a number of options to support your requirements:
Using the Thredd Public Token
Customers who are not PCI DSS compliant must use the Thredd -created Public token, which is unique per card, and which is used to query and manage all transactions on that card. The public token is generated when you submit a Create Card request using the Thredd web services or Cards API, and is returned in the response to your request.
Using a Third Party Service Provider
For customers who are not PCI DSS compliant, but need to implement services such as Push Provisioning (i.e., as part of the Thredd tokenisation service), Thredd provides an integrated solution with third party service providers who can do this on your behalf.
Current third party service providers include: MeaWallet and Digiseq. For more information on these service providers, please contact your Account Manager.
Implementing Push Provisioning and PCI Compliance
Push provisioning (also referred to as in-app authentication) is a process where the Program Manager (i.e., your systems) pre-authenticates the cardholder before the first token provisioning message is sent to the token service provider (Visa/Mastercard).
Push provisioning requires you to share sensitive card data held on your system with the token service provider (without the cardholder needing to manually enter the PAN details into their mobile application). The cardholder must be logged into their account (i.e., logged in to their mobile application) in order to be able to authenticate. To implement push provisioning, you can either do this directly with the token service provider or via the services of a third party service provider.
The third party service provider is able to retrieve the PAN and other relevant card data directly from the Thredd platform. They then encrypt the card data and send the encrypted payload to your cardholder’s mobile phone application to pass to the token requestor and then to the token service provider (Visa/Mastercard).
Figure: Third Party Push Provisioning (in-app Authentication) Service
During the project implementation phase, pre-shared keys are exchanged between the third party service provider and the token service provider, allowing the third party service provider to encrypt and token service provider to decrypt the card data. The Program Manager and token requestor do not have access to the keys.
For more information on implementing tokenisation, including Push Provisioning, see the Tokenisation Service Guide.
For information on the requirements for push provisioning cardholder authentication, please discuss with your mobile wallet token requestor.