Your application needs to process credit card transactions. You want the smallest scope of Payment Card Industry (PCI) compliance without compromising the ability to analyze transactional data and trends relating to which payment methods are used.
How should you design your architecture?
To minimize the scope of PCI compliance while still allowing for the analysis of transactional data and trends, creating a tokenizer service and storing only tokenized data is the most effective approach. Tokenization replaces sensitive data such as credit card numbers with unique tokens that do not carry any exploitable value if breached. This reduces the scope of PCI compliance to just the tokenization service, thereby limiting the need to safeguard the entire system. Additionally, the tokenized data can still be used for analysis in terms of transaction trends and payment methods without compromising security.
Final Decision to go with Option A. I have done PCI DSS Audit for my project and thats the best suited case. 100% sure to use tokenised data instead of actual card number
But with A you cannot extract statistics. That is the second r4equirement.
Thinking about that better, I think you can because you are only tokenizing the sensitive data, not the transaction type.
Analyzing Transaction does not require Credit Card number I guess. Only amount of transaction or balance what is needed. We also perform something similar with transactional data with tokenized PII information. So CC can be tokenized. So answer should be A.
You can as the generated token for a given credit card would be same(generally but there are approaches which can give you different token for the same sensitive data input). Only thing that you won't know is the actual card number which is not required for the trend analysis. When the trend analysis involves referential integrity then tokenization process becomes challenging but still once data is tokenized correctly you should be able to perform any kind of the analysis.
I agree. A is the best option
To minimize the scope of Payment Card Industry (PCI) compliance while still allowing for the analysis of transactional data and trends related to payment methods, you should consider using a tokenizer service and storing only tokenized data, as described in option A. Tokenization is a process of replacing sensitive data, such as credit card numbers, with unique, randomly-generated tokens that cannot be used for fraudulent purposes. By using a tokenizer service and storing only tokenized data, you can reduce the scope of PCI compliance to only the tokenization service, rather than the entire application. This can help minimize the amount of sensitive data that needs to be protected and reduce the overall compliance burden.
man, this is an amazing answer. props
thanks to chagpt, are you serious saying that?
Nicely explained, thanks.
https://cloud.google.com/architecture/tokenizing-sensitive-cardholder-data-for-pci-dss
A is the correct answer https://cloud.google.com/architecture/tokenizing-sensitive-cardholder-data-for-pci-dss#a_service_for_handling_sensitive_information
Go for A
correct answer is A use tokenize
I chose A. But why C is not good?
I think it should be A and C - the paper states clearly, a proper network segmentation is still required to disparate the vault and token servers from the rest of the flat network.
The mandatory stage in PCI is having a encryption/ description system. Data must not be stored as is with PAN. So A IS A MUST. The rest are nice to have.
Correct answer A
B appears the most thorough but the question asks to comply with the smallest scope, network segmentation is not a must. Tokenization is simpler. C is similar to B, more than required. D & E do not address the problem.
A. Create a tokenizer service and store only tokenized data
ok for A
A is my best option
Tokenizing is the best way to protect PCI information.
Not sure why 100% agree on A. To limit PCI DSS scope, the data handling should be done in a separate project with very limited access. Only in this project should tokenization be done and made available for analytics. The first requirement however, is isolating the payment and tokenization code in a separate project. Answer should be B.
A is correct