At Shift4, we fully believe that there is no such thing as too much security when it comes to your transactions and your customers' financial data. That is why Shift4's DOLLARS ON THE NET^® application meets or exceeds and has been independently audited for all card association security requirements. In fact, Shift4's DOLLARS ON THE NET solution uses security protocols that meet or exceed those used in the United States' ATM networks.

Secure Data Centers

Shift4 maintains two different extremely secure and fully monitored data centers in the Southern Nevada area. These data centers are on separate portions of the power grid and have different communications connectivity. Each data center meets all of the physical security requirements and hardware and operating system configuration requirements of the National Security Agencies (NSA) C-2 (Orange Book) recommendations.

After September 11, 2001, the United States government put the security and viability of the nation's financial networks in the hands of the card associations – Visa, MasterCard, etc. As a result, each card association greatly increased their already strict security requirements and parameters.

The various card associations each created their own security requirements and programs – Visa's Cardholder Information Security Program (CISP), MasterCard's Site Data Protection (DSOP), American Express' Data Security Operating Policies (DSOP) and Discover's Information Security & Compliance (DISC) regulations.

In December of 2004, the card associations came together to create the Payment Card Industry Data Security Standard (PCI DSS), which offers a single approach to safeguarding sensitive data for all card brands. Shift4 is 100% compliant with PCI DSS and has been independently certified as such. In fact, Shift4 was the first payment gateway of its kind to be certified. To find out more about PCI DSS, visit www.visa.com/cisp or download a copy of the regulation here.

Privacy and Confidentiality

All cardholder data is maintained exclusively for the use of our customers in the authorization, settlement, archiving and retrieval of credit card information in the course of their business. Shift4 does not grant access to or sell any of our customer's cardholder information for any purpose. Shift4 maintains the information as they would their own top-secret information. All credit card numbers and expiration dates in the database are encrypted in accordance with PCI DSS. In reporting, all credit card numbers are, by default, masked showing only the first four and last four digits of the card number.

Tokenization

To abide by the card associations’ current requirement of not storing credit card data, Shift4 has developed a new Tokenization technology, which enables merchants and payment application vendors to enjoy the highest level of payment processing security possible without requiring a lot of time, money or resources.

In order for merchants and Point-of-Sale (POS) or Property Management Systems (PMS) to be secure and pass their certification or validation process, they cannot hold any credit card data after the initial authorization.

"Keep cardholder information storage to a card associations’ new universal security standard it states: Develop a data retention and disposal policy. Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. Do not store sensitive authentication data subsequent to authorization (not even if encrypted)." - Payment Card Industry Data Security Standard (PCI DSS), as seen on www.visa.com/cisp.

The problem is that this information has been historically stored and utilized to enable merchants to perform incremental authorizations on a credit card. For example, this information is used to process tips and tabs in a restaurant environment, enable recurring billing for retail and eCommerce merchants, and is essential to lodging and auto rental merchants who charge multiple items, nights, etc. to a single invoice. So how can a company leverage the same features without the security risk? Shift4 Tokenization.

With Tokenization, the purchase starts off the same. The merchant swipes the card data and sends it over to Shift4 fully encrypted. Shift4 sends the card data on to the processor and receives back from the processor an approval. All this is the same as it is today; it is after this point where the process differs. Instead of sending back the card data to the merchant and the POS/PMS system, Shift4 turns the data into a Token. A Token is a globally unique, randomized representation of credit card data that is 16 characters long. For payment applications and merchants who utilize Shift4, only the Token is stored in the system.

The Token spans the lifetime of the transaction, even into history, so it provides all the same support for tips, tabs and incremental authorizations. Basically, the Token is stored on the POS/PMS system and when an incremental authorization is required on the card the Token is sent to Shift4. The Token represents a specific credit card transaction and card data that is stored in Shift4’s data center. When the Token is sent through, Shift4 translates that Token into the card data and sends it to the processor. The processor sends back the authorization code; Shift4 turns it back into a Token and sends that along with the approval code to the merchants. The authorization goes through and again no credit card data is stored on the system. That means that the merchant doesn’t need the card number or data past the initial request, so there is absolutely no reason to store this potentially dangerous information. DOLLARS ON THE NET now houses all the cardholder data, relieving the merchant’s burden of storing, transporting and protecting the sensitive data. Shift4’s gateway, DOLLARS ON THE NET, has been successfully and securely managing, transporting and storing data for years.

Best yet, adding Tokenization is a truly small change with big results. It requires a small change on the POS and PMS side. They need to add an addendum asking for this block and of course they need to store the Token. But even this part is easy. The Token can be stored in the now empty card number field, which is already setup to receive this type of data. Also, because the Token includes the last four digits of the credit card number, all of the POS and PMS system reports will still be fully functional. From a merchant’s point of view, the implementation is seamless. In fact, it can be implemented even when there are pending sales or open tickets remaining. Best of all, the solution is available today and at no additional cost.

To find out more about Tokenization, please contact sales@shift4.com