New PCI Security Standards Council Tokenization Guidelines Aim To Increase Security & Simplicity
The PCI (payment card industry) Security Standards Council released a supplement to its PCI Data Security Standard (DSS) guidelines with a document on tokenization. (Version 2.0 of the PCI DSS was released in October 2010.)
Put simply, tokenization allows merchants to generate non-sensitive values as a stand-in for Primary Account Numbers (PANs), thereby obviating the need for a merchant to keep those sensitive numbers in its cardholder data environment (CDE).
There are many tokenization products on the market but no industry standards for implementing them. The PCI Security Standards Council stated in a press release that the newly-released tokenization guidelines “[provide] stakeholders with suggested guidelines for developing, evaluating, or implementing a tokenization solution, including insights on how a tokenization solution may impact scope of PCI DSS compliance efforts.”
The PCI Security Standards Council's Tokenization Guidelines Supplement to the PCI Data Security Standard
According to the press release, the document includes information on:
Although more uniform tokenization can help increase security in the payment card industry, that bit about compliance insights is highly valuable to merchants and tokenization service providers. A survey published early this year (sponsored by Cisco) established that PCI security compliance is "burdensome but necessary" for companies. These guidelines can help tokenization service providers assist merchants in reducing the scope of their CDEs, which in turn reduces the scope of their annual PCI security compliance check-up.
Thus, the guidelines are designed to benefit all parties up and down the payment chain: tokenization providers can improve their product offering; merchants have less data to handle and simpler compliance assessments to deal with; and customers enjoy greater security for their transactions and sensitive data.
Put simply, tokenization allows merchants to generate non-sensitive values as a stand-in for Primary Account Numbers (PANs), thereby obviating the need for a merchant to keep those sensitive numbers in its cardholder data environment (CDE).
There are many tokenization products on the market but no industry standards for implementing them. The PCI Security Standards Council stated in a press release that the newly-released tokenization guidelines “[provide] stakeholders with suggested guidelines for developing, evaluating, or implementing a tokenization solution, including insights on how a tokenization solution may impact scope of PCI DSS compliance efforts.”
The PCI Security Standards Council's Tokenization Guidelines Supplement to the PCI Data Security Standard
According to the press release, the document includes information on:
-Outlining explicit scoping elements for consideration
-Providing recommendations on scope reduction, the tokenization process itself,
deployment and operation factors
-Detailing best practices for selecting a tokenization solution
-Defining the domains, or areas that specific controls need to be applied and
validated, where tokenization could potentially minimize the card data
environment
Although more uniform tokenization can help increase security in the payment card industry, that bit about compliance insights is highly valuable to merchants and tokenization service providers. A survey published early this year (sponsored by Cisco) established that PCI security compliance is "burdensome but necessary" for companies. These guidelines can help tokenization service providers assist merchants in reducing the scope of their CDEs, which in turn reduces the scope of their annual PCI security compliance check-up.
Thus, the guidelines are designed to benefit all parties up and down the payment chain: tokenization providers can improve their product offering; merchants have less data to handle and simpler compliance assessments to deal with; and customers enjoy greater security for their transactions and sensitive data.
