Rahul_Sanghi
ServiceNow Employee

Disputes Card Data Security and PCI Compliance

Objective

The Card Data Security application [sn_data_sec] protects FSO Disputes from PCI DSS scope exposure by tokenizing sensitive payment card data before it reaches the ServiceNow instance. This article covers why PCI compliance is relevant to dispute workflows, how the tokenization proxy works, the key use cases it enables, and the implementation prerequisites every team must complete before installing the plugin.


Overview

The Card Data Security application embeds a tokenization service that enables FSO customers to configure which data is tokenized and detokenized for Dispute Cases and Dispute Transactions, meeting Payment Card Industry (PCI) requirements.

The application acts as a secure passthrough proxy between the ServiceNow instance and card networks. It substitutes sensitive Primary Account Number (PAN) data and documents with non-sensitive token values, preventing raw card data from ever being stored in the ServiceNow instance.

Card Data Security provides a secure, PCI-compliant approach to sensitive payment information while allowing FSO users to maintain operational efficiency in dispute management. Whether your organization falls under PCI Level 1 reporting requirements or operates at lower transaction volumes, Card Data Security helps maintain PCI compliance while streamlining dispute operations.


Why PCI Compliance Matters for Disputes

Card dispute workflows fall within PCI DSS scope for four reasons:

  • Dispute flows may store, process, or transmit physical card details during intake and investigation.
  • Dispute case logs and activity streams may contain sensitive card data.
  • Card network API responses from Visa VROL and Mastercard MCOM include PAN data in their payloads.
  • Merchants may submit evidence containing screenshots, receipts, or statements with cardholder data.

How Tokenization Works

  • When a card network returns a response containing a PAN, the tokenizer intercepts it and replaces the PAN with a token before it reaches the dispute workflow.
  • When ServiceNow sends a request containing a tokenized reference, the tokenizer substitutes the token with the actual PAN before forwarding the request to the card network.

Key Use Cases

  • Agents can enter PAN data via a secure iframe container that tokenizes the number before it is stored, keeping the ServiceNow instance out of PCI scope for that data element.
  • Agents can reveal or mask the full PAN in the Dispute Workspace and transaction record using the Card Number Reveal Component, which uses context-aware JWT authentication to detokenize on demand.
  • Documents received from Visa VROL and Mastercard MCOM (e.g. merchant representment evidence) are stored in the tokenizer service vault, not in ServiceNow. Agents view or download them directly from the vault, keeping sensitive files out of the instance.

Implementation Prerequisites

Card Data Security requires significant pre-configuration before the plugin can be installed. Key steps include:

  • Provision the ServiceNow tokenizer service and complete onboarding. Contact your ServiceNow account representative to initiate this.
  • Install and configure Visa Spoke and Mastercard Spoke — Card Data Security depends on these integrations to function.
  • Set up OAuth (JWT Bearer authentication) including JKS file generation, X.509 certificate, JWT key, JWT Provider, OAuth Provider, and Connection & Credential records.
  • Configure Tokenizer Resource Configurations to map each REST message function (VROL, Mastercom) to the tokenizer service endpoints.
Note: The customer is responsible for implementation of Card Data Security, including all tokenization and detokenization decisions. The customer remains solely responsible for complying with applicable legal obligations, including PCI DSS requirements.

What's Next

Related resources:


Get Involved:

Have questions about Card Data Security setup or PCI scope? Comment below.