Retail – PCI DSS Compliance

Company Profile

A large oil company with over 200 gas station locations, all of which handle credit card data for transactions, and a legacy backend mainframe system for data processing.


Business Problem

Achieve compliance with the PCI DSS regulations for high-volume gas station transaction data.

High transaction volumes and a very short window to handle payment settlement meant the system had to have very high throughput and scalable performance. Due to the legacy mainframe environment, the implementation also required little to no modification of systems.

And last, the company required a means for customer support to securely enter payment data manually.

Protegrity Solution

Protegrity implemented a Vaultless Tokenization appliance in a staging environment outside the backend systems.

The transaction information from the gas stations is sent securely to the Protegrity appliance and placed in an encrypted file. The secure file is parsed and Credit Card Number (CCN) data is tokenized prior to entering legacy business systems. After processing, the protected CCN data is de-tokenized by the appliance and transmitted to payment processors for settlement.

Tokens were designed to bleed through the first 6 digits of the CCN, to make them compatible with legacy systems and prevent the need for modifications.

Requirements & Challenges

  • Comply with all applicable PCI DSS regulations (Level 1)
  • Implement a data security solution with little to no modifications of systems
  • Eliminate mainframe from scope of PCI DSS annual audit via tokenization
  • Allow customer support to enter CHD as usual
  • High transaction volumes and very short window for payment settlement required high throughput and scalable performance
  • Provide knowledge and responsiveness to any concerns or issues

Results & Benefits

  • Achieved PCI DSS compliance through tokenization of CCN data and end-to-end SFTP communication
  • Removed mainframe from PCI DSS audit scope
  • No need to modify legacy systems to secure data due to external appliance and bleed-through of business intelligence
  • Extremely high performance and throughput of secured data
  • Customer support retained ability to handle CCN information through web interface with Vaultless Tokenization appliance
  • Continuous, granular monitoring on sensitive data
  • Tokens designed to exclude first 6 digits of CCN, for compatibility with legacy systems and to prevent need for modifications

Implementation Diagram