Cloud tokenization helped the Oklahoma Turnpike Authority reduce the scope of its PCI audit

About the Company

The Oklahoma Turnpike Authority (OTA) is an instrumentality of the State of Oklahoma and a body corporate and politic created in 1947. The OTA is authorized to construct, maintain, repair, and operate turnpike projects at locations authorized by the Legislature of the State of Oklahoma and approved by the State Department of Transportation.

Tokenization for cardholder data

When the OTA learned that its existing tokenization solution was being sunset, finding a new solution to protect patron cardholder data became an immediate priority. It was essential for OTA to find a tokenization provider that matched their high-security standards and ensured that the cardholder data of hundreds of thousands of customers remained safe.

Todd Harry, Business Development Manager of the Oklahoma Turnpike Authority, initially hesitated to use a third-party vendor. For something as important as payment security, he knew he needed a vendor that he could put a high amount of trust in and collaborate with. After meeting with IXOPAY representatives, he realized that the Oklahoma-based company checked every box. Todd explained, “Everything that we dreamt up, everything that we wanted to do, IXOPAY was able to deliver on. That was really wonderful.”

Reducing PCI headaches

After verifying the security and functionality of third-party tokenization, OTA realized that cloud tokenization would solve another problem: the time and effort spent verifying their PCI compliance each year. By storing cardholder data with IXOPAY, instead within OTA’s internal systems, the burden of compliance was transferred almost completely to IXOPAY.   

Todd Harry explained, “Annually doing audits [on your own] takes so much more time and so much more money. It’s a lot easier to go to IXOPAY and say, ‘Let me see a copy of your self-assessment that says you guys are compliant, and I’ll pass that off to my auditor.’” 

OTA’s previous PCI audits would take over a month, with eight or nine people working on the project. This year, their PCI audit took 50% less time for 80% fewer people as only one person was needed for the two weeks it took to complete the audit. The rest of the team was free to focus on other projects to propel OTA’s business forward instead of auditing an existing system.

How it works

The Oklahoma Turnpike Authority used batch tokenization to efficiently tokenize all their existing cardholder data. Then, once OTA’s data had been converted to IXOPAY tokens, the IXOPAY iFrame was implemented to capture and secure all future cardholder data.

Now, OTA’s cardholder data is tokenized and secured by IXOPAY at the moment of capture. This prevents sensitive data from entering OTA’s internal systems and reduces their PCI scope for future audits. 

Cloud tokenization enabled the Oklahoma Turnpike Authority to:

Keep sensitive card data out of their internal systems.

Drastically reduce the time and effort spent on their PCI audit.

Free up resources to work on other projects.

“From a hard dollar cost savings, I absolutely know that we’re saving money, even with the additional cost of making per-transaction fees to tokenize, because of the soft cost, the number of hours we are saving.“
Todd Harry
Business Development Manager

