By Bernadette Wilson
When Tigerpaw Software announced new features at its most recent partner conference, included among the news was that Tigerpaw would no longer store credit card data inside of the Tigerpaw database. CEO James Foxall explains why this move will help Tigerpaw’s IT solution partners keep data secure.
Q: Can you explain why this is important to Tigerpaw partners from a security perspective?
Foxall: Those of our clients that are using automated payment processing have already moved their credit card data to the cloud in a secure vault of one of our payment vendor partners. This is transparent to the users — it appears that they are entering credit card data in Tigerpaw, but they are actually using a secure Web form of the payment vendor, so the credit card information is never processed or stored locally. The providers give Tigerpaw a token — a non-identifying piece of data. We use the token to process a payment so the credit card data never goes across the Web again.
For those customers that haven’t implemented automated payment processing, they are storing credit cards in Tigerpaw in an encrypted format. Later this year we’ll be producing an update that will force them to move their cards to a secure vault. Tigerpaw will move the data automatically to their preferred provider and then delete the credit card data from the local Tigerpaw database — removing all users from Payment Card Industry (PCI) Data Security Standard scope once and for all.
Q: How does this remove users from PCI DSS scope and help keep card holder data more secure?
Foxall: I think if you look at the news for the last few years, some big companies like Home Depot and Target have seen credit card information stolen. Target was the victim but they’re considered liable for damage. Small organizations can be found negligent if credit card data is stolen and used. Additionally, a big problem besides outside hacking is credit card theft by employees. That’s a real possibility. There aren’t many SMBs that can weather a legal onslaught like that. For Tigerpaw to become PCI compliant would require a massive amount of development effort, and PCI compliant software is only compliant if running on a PCI compliant network — something most SMBs do not have.
We don’t want that liability — and neither should any of our partners. By storing credit card data in a PCI compliant vault in the cloud as our vendor partners do, Tigerpaw and our customers are removed from PCI compliance scope; we’ve built our product not to be PCI compliant, but instead made PCI compliance irrelevant to Tigerpaw and our partners. That’s the best of all worlds. It still looks like you enter credit card data in Tigerpaw, but the data goes directly into a secured PCI vault in the cloud of your chosen provider; Credit card data is never stored locally.
You can pick either Mercury or BNG as your payment processor to use with Tigerpaw. The great thing is having two companies gives our partners competition on rates. Our solution protects you from risk, and can even save you money.
Q: What is your advice to Tigerpaw users that manage payments through the software?
Foxall: If you’re not using BNG or Mercury with Tigerpaw, sign up with one of those guys as fast as possible. This will move your credit card data off your network and remove your potential liability by taking you out of PCI compliance scope. If you’ve already done this, you’re golden. The added benefit is that you can then use automated payment processing in Tigerpaw for your managed services and other recurring agreements! This is an extremely powerful feature that is unique to Tigerpaw, can save you hours a month in billing, and reduce your time to collections to zero days.
Many solutions providers may not realize they have credit card data on their networks. If you do, you are at risk from outside and inside forces. Moving to PCI compliance with a trusted partner — or better yet getting yourself removed from PCI compliance scope — is what you absolutely need to be looking at for the security of your business.