PCI DSS key concepts

The IBM® PCI DSS strategy is based on two key concepts.

The first is the use of a well-known and accepted practice called "tokenization" to transform sensitive credit card Primary Account Numbers (PANs) to the unique and cryptographically strong random string tokens, storing PANs only in an external payment provider vault hosted in a secure environment, and storing tokens only in the Sterling Order Management System Software applications.

The second key concept is to design the Sterling Order Management System Software applications in such a way that PANs are captured through a payment web page that is hosted by the external payment provider and not by the IBM applications. In most cases, the hosted payment page is incorporated as inline frame.

With these two concepts, you can offload PCI DSS security concerns surrounding the handling of PAN such as encryption, secure PAN storage, key management, and logging to an external payment system provider. Additionally, by keeping the PAN outside of the Sterling Order Management System Software applications, you can work with your PCI DSS QSA to keep the IBM applications outside of PCI DSS auditing scope.