Rahul_Sanghi
ServiceNow Employee
Options
- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2 hours ago - edited 35m ago
<div style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; line-height: 1.6; max-width: 860px;">
<h1 style="font-family: Georgia, 'Times New Roman', serif; font-size: 26pt; font-weight: bold; color: #000000; margin: 0 0 20px 0; line-height: 1.2;">Disputes Card Data Security and PCI Compliance</h1>
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">Objective</h2>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">The Card Data Security application [sn_data_sec] protects FSO Disputes from PCI DSS scope exposure by tokenizing sensitive payment card data before it reaches the ServiceNow instance. This article covers why PCI compliance is relevant to dispute workflows, how the tokenization proxy works, the key use cases it enables, and the implementation prerequisites every team must complete before installing the plugin.</p>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">Overview</h2>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">The <strong>Card Data Security</strong> application embeds a tokenization service that enables FSO customers to configure which data is tokenized and detokenized for Dispute Cases and Dispute Transactions, meeting Payment Card Industry (PCI) requirements.</p>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">The application acts as a secure passthrough proxy between the ServiceNow instance and card networks. It substitutes sensitive <strong>Primary Account Number (PAN)</strong> data and documents with non-sensitive token values, preventing raw card data from ever being stored in the ServiceNow instance.</p>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">Card Data Security provides a secure, PCI-compliant approach to sensitive payment information while allowing FSO users to maintain operational efficiency in dispute management. Whether your organization falls under PCI Level 1 reporting requirements or operates at lower transaction volumes, Card Data Security helps maintain PCI compliance while streamlining dispute operations.</p>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">Why PCI Compliance Matters for Disputes</h2>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">Card dispute workflows fall within PCI DSS scope for four reasons:</p>
<ul>
<li>Dispute flows may store, process, or transmit physical card details during intake and investigation.</li>
<li>Dispute case logs and activity streams may contain sensitive card data.</li>
<li>Card network API responses from <strong>Visa VROL</strong> and <strong>Mastercard MCOM</strong> include PAN data in their payloads.</li>
<li>Merchants may submit evidence containing screenshots, receipts, or statements with cardholder data.</li>
</ul>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">How Tokenization Works</h2>
<ul>
<li>When a card network returns a response containing a PAN, the tokenizer intercepts it and replaces the PAN with a token before it reaches the dispute workflow.</li>
<li>When ServiceNow sends a request containing a tokenized reference, the tokenizer substitutes the token with the actual PAN before forwarding the request to the card network.</li>
</ul>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">Key Use Cases</h2>
<ul>
<li>Agents can enter PAN data via a secure iframe container that tokenizes the number before it is stored, keeping the ServiceNow instance out of PCI scope for that data element.</li>
<li>Agents can reveal or mask the full PAN in the Dispute Workspace and transaction record using the <strong>Card Number Reveal Component</strong>, which uses context-aware JWT authentication to detokenize on demand.</li>
<li>Documents received from Visa VROL and Mastercard MCOM (e.g. merchant representment evidence) are stored in the tokenizer service vault, not in ServiceNow. Agents view or download them directly from the vault, keeping sensitive files out of the instance.</li>
</ul>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">Implementation Prerequisites</h2>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">Card Data Security requires significant pre-configuration before the plugin can be installed. Key steps include:</p>
<ul>
<li>Provision the ServiceNow tokenizer service and complete onboarding. Contact your ServiceNow account representative to initiate this.</li>
<li>Install and configure <strong>Visa Spoke</strong> and <strong>Mastercard Spoke</strong> — Card Data Security depends on these integrations to function.</li>
<li>Set up OAuth (JWT Bearer authentication) including JKS file generation, X.509 certificate, JWT key, JWT Provider, OAuth Provider, and Connection & Credential records.</li>
<li>Configure <strong>Tokenizer Resource Configurations</strong> to map each REST message function (VROL, Mastercom) to the tokenizer service endpoints.</li>
</ul>
<div style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; background: #f5f5f5; border-left: 3px solid #107C41; padding: 8px 12px; margin: 12px 0; line-height: 1.5;"><strong>Note:</strong> The customer is responsible for implementation of Card Data Security, including all tokenization and detokenization decisions. The customer remains solely responsible for complying with applicable legal obligations, including PCI DSS requirements.</div>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<h2 style="font-family: Georgia, 'Times New Roman', serif; font-size: 18pt; font-weight: bold; color: #107C41; margin: 32px 0 12px 0; line-height: 1.3;">What's Next</h2>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">Related resources:</p>
<ul>
<li>Full Card Data Security feature reference: <a href="https://www.servicenow.com/docs/r/financial-services-operations/dispute-management/exploring-card-da..." style="color: #0563C1; text-decoration: underline;">Exploring Card Data Security</a> (ServiceNow Docs)</li>
<li>For the Card Data Security Admin and Flow Executor roles, see <a href="https://www.servicenow.com/community/fso-articles/fso-disputes-roles-and-personas/ta-p/3558724" style="color: #0563C1; text-decoration: underline;">FSO Disputes Roles and Personas</a>.</li>
<li>For the Tokenizer Resource Configuration table and Card Data Security fields, see <a href="https://www.servicenow.com/community/fso-articles/fso-disputes-data-model-core-tables-and-key-fields..." style="color: #0563C1; text-decoration: underline;">FSO Disputes Data Model and Core Data Objects</a>.</li>
<li>For the Visa and Mastercard content packs that generate the PAN data Card Data Security tokenizes, see <a href="https://www.servicenow.com/community/fso-articles/disputes-content-pack-for-card-network-rules-visa-..." style="color: #0563C1; text-decoration: underline;">FSO Disputes Content Pack for Card Network Rules</a>.</li>
<li>For Reg E and Reg Z regulatory SLA enforcement alongside PCI compliance, see <a href="https://www.servicenow.com/community/fso-articles/fso-disputes-content-pack-for-us-regulations/ta-p/..." style="color: #0563C1; text-decoration: underline;">FSO Disputes Content Pack for US Regulations</a>.</li>
<li>New to FSO Disputes? Start with <a href="https://www.servicenow.com/community/fso-articles/getting-started-with-fso-disputes/ta-p/3558748" style="color: #0563C1; text-decoration: underline;">Getting Started with FSO Disputes</a> for a full introduction to the dispute lifecycle, operating model, and implementation approach.</li>
<li>For training courses, learning paths, and delivery accreditations, see <a href="https://www.servicenow.com/community/fso-articles/fso-disputes-learning-and-enablement-resources/ta-..." style="color: #0563C1; text-decoration: underline;">FSO Disputes Learning and Enablement Resources</a>.</li>
</ul>
<hr style="border: none; border-bottom: 1px solid #cccccc; margin: 20px 0;">
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;"><strong>Get Involved:</strong></p>
<ul>
<li><a href="https://www.servicenow.com/community/fso/ct-p/financial-services-operations" style="color: #0563C1; text-decoration: underline;">FSO Community Forum</a> — subscribe for updates and connect with the FSO community.</li>
<li><a href="https://www.youtube.com/playlist?list=PLkGSnjw5y2U7WsOoRXCaJeUnJrcN_aHlD" style="color: #0563C1; text-decoration: underline;">Financial Services Operations YouTube Playlist</a> — review videos and feature walkthroughs.</li>
</ul>
<p style="font-family: Georgia, 'Times New Roman', serif; font-size: 11pt; color: #000000; margin: 8px 0;">Have questions about Card Data Security setup or PCI scope? Comment below.</p>
</div>
