The use of transaction cards, such as credit and debit cards, has become ubiquitous. Consumers have come to rely on the use of transaction cards to purchase goods and services. In many cases, consumers prefer using transaction cards as opposed to alternate forms of payment, such as cash and checks. Transaction cards offer the consumer increased convenience, as the consumer no longer needs to carry cash or checks, which can be lost or stolen, and used inappropriately to engage in transactions that are not approved by the consumer.
The ubiquitous nature of transaction cards, which can also be referred to as payment cards or payment instruments, has led to other problems. Typically, a transaction card is associated with an account identifier, such as an account number, that in turn is associated with an underlying cash account or line of credit, which can be referred to as a transaction account or account. If a fraudulent user is able to obtain the account identifier, the fraudulent user may engage in transactions that are not authorized by the legitimate holder of the transaction card. The consumer can take some steps to ensure that this does not happen. For example, the consumer may take care to always keep the transaction card in a secure place, such as a purse or wallet. The consumer may also notify an issuer of the transaction card if the transaction card is lost or stolen, such that the card may be disabled, and will no longer usable to conduct transactions.
Regardless of the amount of care that a consumer may exercise in the handling of transaction cards, there are still opportunities for an account identifier to be compromised that are completely outside of the control of the consumer. A consumer may engage in a legitimate transaction with a merchant, and as part of that transaction, provide the merchant with the account identifier associated with a transaction card. The merchant may then process the transaction according to conventional means. However, because the merchant, and any downstream processors, such as the merchant's acquirer, have access to the account identifier, the consumer is at the mercy of the security procedures implemented by the merchant or downstream processors. For example, a rogue employee of the merchant may access the merchant's transaction processing system to steal account identifiers. The stolen account identifiers may be used by the rogue employee or others to engage in fraudulent transactions. The exposure of account identifiers through careless handling or lax security procedures can be referred to as a data or security breach.
In order to reduce the likelihood of a data breach, merchants, acquirers, and any other entity that needs to legitimately posses account identifiers as part of normal transaction processing, are required to perform Payment Card Industry (“PCI”) Security Audit Procedures to ensure compliance with PCI Data Security Standard (“DSS”) requirements for payment card transactions. The purpose of the PCI audit procedures is to ensure that merchants, acquirers, and others in possession of account identifiers have sufficient security within their systems to protect consumers' account identifiers. For example, PCI DSS standards may require that any account identifiers that are stored within a merchant's system must be stored in an encrypted format, and that those systems must be isolated from any general computer network through the use of a firewall.
Although PCI DSS audits provide some degree of protection to a consumer, there are many deficiencies with the process. For example, the audits are typically conducted at a discrete point in time. A merchant may be fully compliant with the PCI DSS at the time the audit is conducted, however the merchant's systems may change at some point after the audit. To alleviate this concern, the merchant may be periodically audited, such as once per calendar quarter. However, as should be clear, this still leaves open the possibility that the merchant is not PCI DSS compliant between audits. Furthermore, there are significant costs associated with maintaining PCI DSS compliance by merchants, acquirers, and any others subject to PCI DSS audits. Aside from the costs of the audit itself, there are ongoing costs with ensuring that any changes made to the payment processing process remain PCI DSS compliant.
Embodiments of the technology disclosed herein address these and other problems, individually and collectively.