PCI compliance, which from the perspective of the merchant is the Payment Card Industry standards that all companies accept, process, store and/or transmit credit card information in a secure environment, or in simpler terms, and from the resident’s perspective – is the ability to safely use one’s credit card without the apparent fear of having your identity stolen, misused, misrepresented, or a random Batman costume purchased without your consent, is in the foreground of many discussions. Those credit cards, and their relatively new connections to our smart phones, have opened up a new world of conveniences, impulse purchases and threats from the very innocuously titled, Internet of Things. The Internet of Things, or “The Iot”, which sounds more like a tough neighborhood than a pile of connected microchips, is comprised of millions of devices that we come into contact with every day – everything from gas pumps, to ATM’s, Smart Phones, Fitbits, laptops, IPads and even those attractive “learning thermostats” which have proved to possess the ability to be hacked and “teach” thieves, when we are not around – guiding them to our unattended, but well-connected homes.
But today, let’s say that we would like to leave our well-connected home and go out and defy the odds, against all better judgement, leaving our home vulnerable, and purchase some candy at the clubhouse in our community. We begin our journey without our credit card, even though we are going to make a credit card purchase. With our ferocious Golden Doodle, Barley at our side we head out, confident that we will return successful, candy in hand and credit intact. But from where does this confidence come? The fact that our facility has always recognized their legal exposure surrounding their need to be PCI-compliant, but now, they have taken new steps in an attempt to thwart even the most determined of cyber criminals.
Entering the Clubhouse retail shop, I search for the candy, retrieve my purchase and head for the checkout staring off into the distance as the clerk slowing becomes menacing closer. With each step my confidence grows, and as I come within a few feet of the clerk, I hear him greet me by name, even though I have never seen him before as he is a new employee. The community’s clubhouse is now utilizing a Beacon system which recognizes the fact that I have the properties App running on my smart phone, securely opening a transaction on the clerk’s screen. The Beacon system is a low-energy Bluetooth device which emits a signal, or ‘beacon’, and when it senses the unique ID of my smart phone and community app, it “recognizes” me. The clerk is able to see my picture and visually verify that I am the resident in front of him. He is, as am I, confident that he is addressing the proper resident. Quickly, he scans my chocolate bar, and the transaction has begun. Overjoyed at our impending departure, I look at my phone, see that my App is requesting my fingerprint identification. Quickly I press my thumb upon the home button, and the clerk tells me to enjoy my evening. I take my prize, Barley is excited and back home we head ready to toss the Hershey wrapper of victory stout heartedly into the imaginary faces of the cyber-bullies looking to take my candy money.
But what happened behind the scenes?
When the staff member enters the tender screen and selects the credit card option, the system then reaches back out to the resident’s phone and requests another level of verification through the use of the device’s finger print identification system. Once this has been received, the system will then proceed with the credit card sale through the use of a tokenization system. This means that the actual credit card data is not stored within the system, but off-site on the server of the credit card processor. When the request is initiated, a token is requested and one-time access is granted to charge that card – again, never passing that information through the system, and again never giving anyone the chance to intercept the information. In essence the system is not PCI compliant, but truly PCI out-of-scope. The resident, may purchase goods and services at the facility without ever having to remove a card from a wallet or purse, and in reality, without even having to carry a card – thus even eliminating the possibility of electronic card scanning.
Breaking it down further:
- The Resident was visually identified, when the Beacon system identified his device.
- If the device was lost or stolen, visual identification could thwart a user, as would the fingerprint functionality.
- If a resident does not have the App running or does not wish to be identified in this manner, the App also has an electronic card, which may be displayed visually to be scanned – giving all of the same verifications.
- The off-line storage of the card keeps the information secure and eliminates the need for the resident to physically carry the card. This eliminates the dangers from physical loss, electronic scanning or skimming.
- The tokenization methodology allows for the usage of the card, without the exposure of the information to interception.
- Fingerprint verification allows for further identity confirmation.
A few extra measures – certainly. However, the facility has taken some great steps to increase the confidence of its residents, protect its reputation, enhance its competitive position and strengthen any potential legal issue that may arise. Now if only the clubhouse would have something for Barley to enjoy too!