transparent proxy to replace Credit Card Data with a Token to avoid PCI DSS scope

Question

I work on the PCI DSS compliance of my company. After some research, i found out it is no good idea to store any credit card data at all, as this makes things far more complex.

I found a payment provider providing a secure data vault in combination with a tokenization solution. As i dont want to audit all sub modules of a large solution, i thaught about writing a transparent proxy server which replaces the credit card (finding it via a regular expression) and replacing it with a token, as soon i want to send the credit card to a third party, i send it through the proxy and the proxy changes the token back to the credit card. this should reduce the secure coding requirements, including code audits to the proxy, as all other code is just getting hit with the token.

I use ASP.NET MVC / Webforms and WCF. What is the best way to get something like this done? I thaugt about writing a HttpFilter / ISAPI to do this job.

Maybe there is already a product like this? Does this idea make sense at all?

Answer 1

I would caution against such an approach.

1) regex to catch all possible CC's maybe too complex or may not work for certain situations (dashes, spaces, dots, errors in the CC numbers). 2) you may catch false positives for data that looks like a CC number but isn't (especially binary data) 3) you may not be able to catch mis-typed CC numbers 4) It "feels" wrong

I would suggest going one step further with your payment processor and finding one that not only offers a PCI-compliant & tokenized CC storage space, but also a CC-capture page to which you redirect to, when it comes time to capture CC details from the user. This way your apps do not have to do anything

Answer 2

You may w3ant to look into something like Authorize.Net's Customer Information Manager (CIM) API which allows you to create payment profiles which are stored on Authorize.Net's servers and charge against them at a future date using a profile ID (a.k.a. token).

Answer 3

The PCI Security Standards Council have released a guideline on tokenization. You can find it here: https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf

It's important to note (as it seems like you know anyway) that while you can use tokenization to reduce the impact of PCI, it's unlikely to remove all of your systems from having to comply as at least the tokenization proxy will be in scope.