Why Use Tokens
When establishing PCI compliant process and practices from a technology perspective, commercial accommodation providers need to consider both, the systems they use and the environment in which they operate.
As a system provider, RMS has the choice or providing software that complies with the Payment Application Data Security Standard (PA DSS) or staying out of the scope of PCI requirements altogether. RMS has determined that as a long term solution, the latter option provides a safer, less expensive and more robust solution. The tokenization method employed by RMS means that credit card details are never stored, transmitted or processed in RMS rendering the property owner completely out of scope of PCI.
Whilst it is relatively simple to achieve the requirements of the DSS as they apply to payment applications, it would completely ignore the environment in which it operates. Property owners who self-host RMS would find the task of maintaining a network that fully complied with the DSS almost impossible. The responsibility of data security ultimately falls on the merchant. Vulnerabilities exist even in the most secure environments where staff members have access to the network, or the server is not under constant vigilance. A breach of your security may provide open access to cardholder data despite having a PCI compliant payment application installed.
Over time the low cost per transaction incurred by using a payment gateway is far less than the ongoing cost of securing a local environment. This is not to mention the peace of mind that comes from removing the onus of card security.
RMS cloud hosted customers enjoy extremely robust data security. Nonetheless, the decision was made that responsibility for cardholder security is best managed by the industry-specific services supplied by payment gateway providers.
It is undeniable that the safest and most efficient method of providing cardholder security and complying with your merchant obligations is by use of the tokenization method.