Any business wanting to process credit cards needs to handle card data. Recent development of payment card industry was followed by growing risks of credit card fraud of different sorts and identity theft. In order to protect cardholder data from being stolen or compromised, the so-called PCI compliance requirements were introduced. In order to comply with the requirements, a business needs to go through regular PCI audit procedure.
Depending on transaction volume processed, every business is classified as belonging to one of four PCI compliance levels. For level 1 merchants, who process larger volumes of transactions, PCI audit is more rigorous and costly, while level 4 merchants only have to fill out a self-assessment questionnaire.
As soon as a card number gets into payment processing software of a company, the company falls into PCI scope. There are several approaches available for businesses, allowing them to reduce their PCI scope, or even get out of it completely. One of the most common approaches is tokenization of card data, when the actual card numbers are tokenized, i.e. replaced by tokens using some sort of algorithm. Another approach allowing companies to reduce their PCI scope is sometimes referred to as customer profiling, when the whole profile of a customer is maintained at a PCI-compliant server. This approach is especially relevant for subscription-based businesses, which need to have cardholder data at hand for recurring billing.
More information on PCI compliance, card tokenization, cardholder data storage and handling can be found in respective series of articles at Paylosophy.com blog.