ISO8583 | PCI

Achieving PCI Compliance with ISO8583

March 20, 2020

Home > Blog > Achieving PCI C...

Contents Is your organization connecting to a payment gateway, processor,
or other financial institution – like FIS or I2C – that requires you to
What is ISO8583? use ISO8583 to handle payment messaging?
What uses does Marshall Jones
ISO8583 have? If so, you likely already know that your business needs to achieve
Who supports some form of PCI compliance in order to handle the sensitive data
ISO8583? contained within those messages. Share
Instant PCI
compliance for ISO Becoming PCI compliant, however, is far from a simple
8583 with VGS undertaking. Businesses need to complete the 12 PCI
How it works requirements to successfully create their own PCI-compliant
Card issuing Cardholder Data Environment (CDE). This process is a long one –
often taking many months and requiring significant resources and
expertise to pull off.
Fortunately, there is an easier and more affordable way to obtain
PCI compliance for ISO8583 payment messaging that also
protects all of your organization’s sensitive data and helps you
attain other compliances beyond PCI DSS.
Before we go into the details, however, let’s do a quick refresher
on ISO8583 and how it relates to PCI DSS compliance.
What is ISO8583?
ISO8583 is the global standard for financial transaction card
originated interchange messaging, set up by the International
Organization for Standardization (IOS).
It is the standard for systems that exchange customer-initiated
electronic transactions. Most in-store payment card transactions –
as well as ATM transactions – use ISO8583 at some point in the
communication chain.
What uses does ISO8583 have?
ISO8583 defines a common standard, including message format
and communication flow, so that disparate systems have the
ability to exchange transaction requests and responses with no
trouble.
It defines several standard fields, which stay the same in all
networks or systems, while leaving a few extra fields designated
for passing network-specific details.
These standard fields, or data elements, are then used by
payment card networks to modify the standard in order to adapt it
to its own customized fields and usages.
Who supports ISO8583?
While ISO8583 is not usually used directly by all networks or
systems, it is still an important standard that payment card brands
use indirectly after tailoring them to suit their own unique data
elements.
It’s not a standard that everyone follows strictly, but the core of
the standard is maintained across the board to ensure that
different systems can communicate with each other and to
guarantee that when the financial service is extended to a new
network, the integration process is quick and easy.
While many payment gateways use HTTPS-based communication
for processing payments, there is still a large deployment of
ISO8583 gateways that exist. Both the Visa and MasterCard
networks, for example, built their authorization communications
systems using the ISO8583 standard – as do several other
institutions and networks.
I’m using ISO8583 – do I need to become PCI
compliant?
In order for your organization to handle the sensitive data that is
sent via the digital messages involved in ISO8583, you do indeed
need PCI compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a
set of requirements, designed by the major payment card brands,
that guide businesses on how they should protect their payment
card data.
PCI DSS compliance isn’t a law, but it’s required by payment card
networks if you want to continue being able to work with them.
Non-compliance can result in financial penalties or worse: a
sensitive data breach.
If any PCI data, like cardholder names or PANs, can be located in
any of your business systems, then you are in scope of PCI
compliance requirements and must obtain compliance.
Instant PCI compliance for ISO 8583 with VGS
Thankfully, there is an easy solution available to businesses who
need to achieve PCI compliance for handling ISO 8583 messages,
and it doesn’t require you to make your cardholder data
environment PCI compliant yourself.
The PCI compliance solution we’ve developed at Very Good
Security (VGS) enables your business to collect, transfer and store
any sensitive data (like cardholder data) without ever possessing
it in your systems.
The VGS ISO8583 proxy removes any systems that handle
ISO8583 messages from PCI scope, so you can use ISO8583
freely without worrying about any PCI liability.
VGS enables you to compliantly connect to your financial
institution in a fraction of the time it normally takes, freeing you to
focus on bringing your product to market instead of dealing with
PCI compliance.
How it works
VGS has over 140 pre-established connections to most major
payment networks including FIS, I2C, MasterCard, Visa, and
American Express. Our solution provides low-latency protection
using industry leading security.
By partnering with VGS, you can use our ISO8583 proxy to secure
and sanitize any sensitive information within your ISO8583
messages before they reach your system and perform the inverse
when sending requests to the financial institution (FI).
Along with removing your systems from PCI scope, we accelerate
your time to launch by using our pre-established connectivity
instead of waiting on the FI to create a new connection, which
can incur months of delay.
 The process is as simple as connecting to your FI through VGS
and you are ready to go.
Card Issuing
As a benefit for card issuers, you can share your Pin Encryption
Key (PEK) and Card Validation Key (CVK) with VGS and securely
receive metadata to allow you to see the result of CVV and PIN
validation.
This can allow you to retain full control of any business logic for
handling card authorization transactions while still keeping your
systems from PCI compliance.
If you’re looking to handle ISO8583 messages in a PCI-compliant
manner, retain full control over the logic involved in processing
those messages, and want to reduce the compliance effort
involved in doing so – email Very Good Security today.

You Might Also Be Interested In...

Fintech | PCI
How Three Fintechs Got to Market Fast by Outsourcing PCI
If you’re reading this blog, you already know what PCI is. Chances are, you also have some inclination that it’s a pain in the you-know-what too. Just how
severe that pain can be is something else altogether.
Ena Kadribasic March 11, 2021

Tokenization | PCI Compliance | SOC 2

Tokenization vs. Encryption vs. Aliasing - How to Truly Minimize Compliance Risk
In the context of data protection, modern digital businesses realize the dangers that come with using sensitive information in its raw form. Figuring out a
way to collect and use the original data without putting it at risk remains a challenge, and organizations must channel a lot of their resources into IT
security that protects their users’ sensitive data like credit card numbers and other cardholder information.
With so many highly-publicized data breaches hitting newspaper headlines in recent years, including a massive Capital One data breach in 2019, it has
become more important than ever to protect sensitive consumer data and limit its exposure to data leaks.
Ena Kadribasic October 30, 2019
 PCI Compliance | Data Security
PCI DSS Compliance: A Guide for E-Commerce Businesses | Very Good Security
The digital era has unleashed endless possibilities for launching e-commerce businesses. From independent home-based Amazon merchants to large-
scale online retail operations, the barriers to entry in the e-commerce space have drastically fallen.
Channin Gladden December 9, 2019

207 Powell Street, Suite 200 Solutions Compliance Developers Company

San Francisco, CA 94102
Product Overview PCI Guides About Us
 Newsletter Card Issuers PCI Audit Getting Started Jobs
 Contact Us Tokenization API SOC 2 FAQ Blog
Payment Optimization CCPA Contact
Terms Data Privacy / PII CCPA for Developers Sign Up Resource Library
Privacy Notice Pricing HIPAA Media Assets
Report Vulnerability GDPR
Compliance FAQs
Compliance Academy

© VERY GOOD SECURITY, Inc.