- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
3 weeks ago - edited 3 weeks ago
Disputes Card Data Security and PCI Compliance
Objective
The Card Data Security application [sn_data_sec] protects FSO Disputes from PCI DSS scope exposure by tokenizing sensitive payment card data before it reaches the ServiceNow instance. This article covers why PCI compliance is relevant to dispute workflows, how the tokenization proxy works, the key use cases it enables, and the implementation prerequisites every team must complete before installing the plugin.
Overview
The Card Data Security application embeds a tokenization service that enables FSO customers to configure which data is tokenized and detokenized for Dispute Cases and Dispute Transactions, meeting Payment Card Industry (PCI) requirements.
The application acts as a secure passthrough proxy between the ServiceNow instance and card networks. It substitutes sensitive Primary Account Number (PAN) data and documents with non-sensitive token values, preventing raw card data from ever being stored in the ServiceNow instance.
Card Data Security provides a secure, PCI-compliant approach to sensitive payment information while allowing FSO users to maintain operational efficiency in dispute management. Whether your organization falls under PCI Level 1 reporting requirements or operates at lower transaction volumes, Card Data Security helps maintain PCI compliance while streamlining dispute operations.
Why PCI Compliance Matters for Disputes
Card dispute workflows fall within PCI DSS scope for four reasons:
- Dispute flows may store, process, or transmit physical card details during intake and investigation.
- Dispute case logs and activity streams may contain sensitive card data.
- Card network API responses from Visa VROL and Mastercard MCOM include PAN data in their payloads.
- Merchants may submit evidence containing screenshots, receipts, or statements with cardholder data.
How Tokenization Works
- When a card network returns a response containing a PAN, the tokenizer intercepts it and replaces the PAN with a token before it reaches the dispute workflow.
- When ServiceNow sends a request containing a tokenized reference, the tokenizer substitutes the token with the actual PAN before forwarding the request to the card network.
Key Use Cases
- Agents can enter PAN data via a secure iframe container that tokenizes the number before it is stored, keeping the ServiceNow instance out of PCI scope for that data element.
- Agents can reveal or mask the full PAN in the Dispute Workspace and transaction record using the Card Number Reveal Component, which uses context-aware JWT authentication to detokenize on demand.
- Documents received from Visa VROL and Mastercard MCOM (e.g. merchant representment evidence) are stored in the tokenizer service vault, not in ServiceNow. Agents view or download them directly from the vault, keeping sensitive files out of the instance.
Implementation Prerequisites
Card Data Security requires significant pre-configuration before the plugin can be installed. Key steps include:
- Provision the ServiceNow tokenizer service and complete onboarding. Contact your ServiceNow account representative to initiate this.
- Install and configure Visa Spoke and Mastercard Spoke — Card Data Security depends on these integrations to function.
- Set up OAuth (JWT Bearer authentication) including JKS file generation, X.509 certificate, JWT key, JWT Provider, OAuth Provider, and Connection & Credential records.
- Configure Tokenizer Resource Configurations to map each REST message function (VROL, Mastercom) to the tokenizer service endpoints.
What's Next
Related resources:
- Full Card Data Security feature reference: Exploring Card Data Security (ServiceNow Docs)
- For the Card Data Security Admin and Flow Executor roles, see FSO Disputes Roles and Personas.
- For the Tokenizer Resource Configuration table and Card Data Security fields, see FSO Disputes Data Model and Core Data Objects.
- For the Visa and Mastercard content packs that generate the PAN data Card Data Security tokenizes, see FSO Disputes Content Pack for Card Network Rules.
- For Reg E and Reg Z regulatory SLA enforcement alongside PCI compliance, see FSO Disputes Content Pack for US Regulations.
- New to FSO Disputes? Start with Getting Started with FSO Disputes for a full introduction to the dispute lifecycle, operating model, and implementation approach.
- For training courses, learning paths, and delivery accreditations, see FSO Disputes Learning and Enablement Resources.
Get Involved:
- FSO Community Forum — subscribe for updates and connect with the FSO community.
- Financial Services Operations YouTube Playlist — review videos and feature walkthroughs.
Have questions about Card Data Security setup or PCI scope? Comment below.