At times, there can be confusion in the industry surrounding tokenization, a process designed by technology providers, as a means to secure cardholder data while providing merchants with the functionality needed to run their businesses. Last week, the PCI SSC tried to clarify any questions surrounding this technology with the scheduled release of the PCI Data Security Standard (PCI DSS) tokenization guideline. The guidelines are designed to provide merchants with a better understanding of how they can incorporate tokenization into their card payment security strategy, as well as how their efforts relate to, and impact compliance with the PCI DSS.
At its simplest level, tokenization technology replaces a primary account number at the point of sale with a surrogate value called a “token” to improve data security. Subsequently, if tokenization is used properly, a merchant would not need to retain the primary account number in the payments system used at the business once the transaction is processed. This results in a minimized amount of data a business would need to keep on hand, ultimately bolstering the security of credit card transactions, while limiting the cost and complexity of meeting compliance requirements at the same time.
Unlike several of the other well-known technologies in the industry, tokenization does not have standards. So while the technology provides a great level of value, some merchants still need help knowing the best practices on how to incorporate tokenization so it works most optimally for their business and their customers. It is important to understand that tokenization is not an alternative to the standards, as merchants still have to comply with the PCI DSS.
The tokenization guidelines released by the PCI SSC should help merchants understand the options surrounding the technology, and how it fits their business’ needs. These guidelines will also benefit tokenization service providers and assessors, clarifying how the technology can limit or eliminate scope by transferring the responsibility of storing sensitive cardholder data away from the merchant to a payments technology provider. This is especially valuable as it also simplifies the PCI DSS assessment process by limiting the number of requirements applicable to the merchants’ environment.