Simplifying Payments and Compliance with Cloud-Based P2PE Decryption: Carnival Cruise Line Journey

At the recent MAG (Merchant Advisory Group) Payments Conference in Orlando, Florida, the IXOPAY team shared an insightful presentation on Carnival Cruise Line success story, demonstrating how orchestrating payments and simplifying compliance is made easier with Cloud-Based Point-to-Point Encryption (P2PE).

Carnival's payment strategy focuses on flexibility, modernization, and compliance, leveraging IXOPAY’s orchestration platform to meet these needs. Here are the key benefits Carnival Cruise Line experienced:

• Best-in-Class Solutions: Carnival has the freedom to select payment devices and Payment Service Providers (PSPs) based on their specific needs rather than being constrained by pre-packaged device-PSP pairings.
• Modernizing Settlement Processes: Carnival streamlined its settlement timelines through tokenization, making payment processing more efficient.
• Validated P2PE Solution: Carnival implemented a cloud-based, PCI-validated P2PE solution, ensuring high levels of data security.
• PCI Scope Reduction: By reducing the scope of PCI compliance by 90%, Carnival lowered costs and shortened the compliance process from 6 months to 3 weeks.
• Tokenization for Efficiency: Carnival now tokenizes credit cards during the initial transaction and stores the tokens for future use, enhancing both security and convenience.

Tokenization plays a pivotal role in de-risking environments by replacing sensitive payment information with a non-sensitive token. Here's a breakdown of how tokenization benefits businesses:

• Security: Sensitive data, like credit card numbers, is replaced by a token, reducing the risk of a data breach.
• PCI Scope Reduction: Tokenization drastically reduces the scope of PCI DSS compliance.
• Business Process Compatibility: Tokens can be format-preserving and retain certain elements of the original data, making them usable in existing business processes without modification.

Understanding the different types of tokens is critical to ensuring a seamless payment orchestration strategy.

PCI Tokens:

PCI tokens are a data security and compliance technology that are:

• Generated by a payment gateway, PSP, or Token Service Provider (TSP).
• Typically used in the payments ecosystem.
• Must be detokenized by the generating entity (PSP, gateway, or TSP) before processing.
• Can be alphanumeric and may retain elements of the original credit card number (PAN).

Network Tokens:

Network Tokens are a payment optimization technology that are:

• Based on the EMV Payment Tokenization Specification and generated by card schemes (Visa, Mastercard, American Express, etc.).
• These tokens can pass through the entire payment ecosystem without needing to be detokenized until they reach the card scheme.
• They use a token-specific BIN range, ensuring compliance, and are always numeric and Luhn compliant.

Using a cloud-based P2PE decryption solution offers several key advantages for merchants:

• Device Flexibility: Merchants can use any PCI-validated point of interaction (POI) device, which streamlines device management.
• Simplified Compliance: The most significant benefit of cloud-based P2PE is how much it simplifies PCI DSS compliance. With this solution, businesses reduce their compliance scope from over 300 controls (SAQ-D) to just 21 controls (SAQ-P2PE), leading to lower compliance costs.
• Payment Channel Correlation: This solution also supports the correlation of payments across both card-present and CNP channels, ensuring a unified approach to payment security.
• Decoupling from Processors: Merchants can independently manage their P2PE processes without being tied to a specific PSP, enhancing flexibility.