facebook noscript

Achieving PCI Compliance with ISO8583

March 20, 2020
compliance-with-iso-proxy-is008583

Is your organization connecting to a payment gateway, processor, or other financial institution – like FIS or I2C – that requires you to use ISO8583 to handle payment messaging?

If so, you likely already know that your business needs to achieve some form of PCI compliance in order to handle the sensitive data contained within those messages.

Becoming PCI compliant, however, is far from a simple undertaking. Businesses need to complete the 12 PCI requirements to successfully create their own PCI-compliant Cardholder Data Environment (CDE). This process is a long one – often taking many months and requiring significant resources and expertise to pull off.

Fortunately, there is an easier and more affordable way to obtain PCI compliance for ISO8583 payment messaging that also protects all of your organization’s sensitive data and helps you attain other compliances beyond PCI DSS.

Before we go into the details, however, let’s do a quick refresher on ISO8583 and how it relates to PCI DSS compliance.

What is ISO8583?

ISO8583 is the global standard for financial transaction card originated interchange messaging, set up by the International Organization for Standardization (IOS).

It is the standard for systems that exchange customer-initiated electronic transactions. Most in-store payment card transactions – as well as ATM transactions – use ISO8583 at some point in the communication chain.

What uses does ISO8583 have?

ISO8583 defines a common standard, including message format and communication flow, so that disparate systems have the ability to exchange transaction requests and responses with no trouble.

It defines several standard fields, which stay the same in all networks or systems, while leaving a few extra fields designated for passing network-specific details.

These standard fields, or data elements, are then used by payment card networks to modify the standard in order to adapt it to its own customized fields and usages.

Who supports ISO8583?

While ISO8583 is not usually used directly by all networks or systems, it is still an important standard that payment card brands use indirectly after tailoring them to suit their own unique data elements.

It’s not a standard that everyone follows strictly, but the core of the standard is maintained across the board to ensure that different systems can communicate with each other and to guarantee that when the financial service is extended to a new network, the integration process is quick and easy.

While many payment gateways use HTTPS-based communication for processing payments, there is still a large deployment of ISO8583 gateways that exist. Both the Visa and MasterCard networks, for example, built their authorization communications systems using the ISO8583 standard – as do several other institutions and networks.

I’m using ISO8583 – do I need to become PCI compliant?

In order for your organization to handle the sensitive data that is sent via the digital messages involved in ISO8583, you do indeed need PCI compliance.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements, designed by the major payment card brands, that guide businesses on how they should protect their payment card data.

PCI DSS compliance isn’t a law, but it’s required by payment card networks if you want to continue being able to work with them.

Non-compliance can result in financial penalties or worse: a sensitive data breach.

If any PCI data, like cardholder names or PANs, can be located in any of your business systems, then you are in scope of PCI compliance requirements and must obtain compliance.

Instant PCI compliance for ISO 8583 with VGS

Thankfully, there is an easy solution available to businesses who need to achieve PCI compliance for handling ISO 8583 messages, and it doesn’t require you to make your cardholder data environment PCI compliant yourself.

The PCI compliance solution we’ve developed at Very Good Security (VGS) enables your business to collect, transfer and store any sensitive data (like cardholder data) without ever possessing it in your systems.

The VGS ISO8583 proxy removes any systems that handle ISO8583 messages from PCI scope, so you can use ISO8583 freely without worrying about any PCI liability.

VGS enables you to compliantly connect to your financial institution in a fraction of the time it normally takes, freeing you to focus on bringing your product to market instead of dealing with PCI compliance.

How it works

VGS has over 140 pre-established connections to most major payment networks including FIS, I2C, MasterCard, Visa, and American Express. Our solution provides low-latency protection using industry leading security.

By partnering with VGS, you can use our ISO8583 proxy to secure and sanitize any sensitive information within your ISO8583 messages before they reach your system and perform the inverse when sending requests to the financial institution (FI).

Along with removing your systems from PCI scope, we accelerate your time to launch by using our pre-established connectivity instead of waiting on the FI to create a new connection, which can incur months of delay.

ISO8583

The process is as simple as connecting to your FI through VGS and you are ready to go.

Card Issuing

As a benefit for card issuers, you can share your Pin Encryption Key (PEK) and Card Validation Key (CVK) with VGS and securely receive metadata to allow you to see the result of CVV and PIN validation.

This can allow you to retain full control of any business logic for handling card authorization transactions while still keeping your systems from PCI compliance.

If you’re looking to handle ISO8583 messages in a PCI-compliant manner, retain full control over the logic involved in processing those messages, and want to reduce the compliance effort involved in doing so – email Very Good Security today.

marshall-jones-r Marshall Jones

Share

You Might also be interested in...

engineering-default

Securing GitOps Deployments in AWS EKS

Maksym Kulish April 28, 2020

pci-for-small-businesses

PCI Compliance for Small Businesses

Stefan Slattery March 13, 2020

compliance-default

Am I selling data? Why You May Need CCPA Compliance and Not Know It

Stefan Slattery January 30, 2020