Posts Tagged ‘PCI DSS’

Credit Card Processing Tokenization

Monday, December 13th, 2010

There’s a lot of buzz around Tokenization lately and for a good reason. Format Preserving Tokenization™ is a rising data security model that can be used alone or to augment strong encryption to benefit companies that accept credit card numbers, including credit card processors.

Here’s how it works: Tokens are meaningless surrogate values that replace credit card numbers in systems, applications and databases, while the encrypted values they represent remain locked in a central repository, called a data vault.

This provides a number of benefits for companies that need to protect credit card information, including: safe internal and external tokens mobility, credit card data format preservation and taking data, applications and systems out of scope for Payment Card Industry Data Security Standard (PCI DSS) compliance and audits.

Several industry organizations are working on tokenization definitions, standards and guidelines. The PCI SSC Scoping Special Interest Group (SIG) is working on definitions and the application of tokens as it relates to PCI DSS and the Accredited Standards Committee X9 is working on a standard to define tokenization requirements related to credit card data in the financial services industry.

Format preserving tokens enable practical applications, such as: post authorization sales and marketing analysis, analytics, loss prevention and fraud detection. For example, a data warehouse program can use format preserving tokens to determine what type of credit card – standard, private label or gift card – was used for a purchase. In this scenario, the data warehouse contains only tokens, not the actual card numbers.

A word of caution for merchants: There is no such thing as token portability between credit card processors. Because of this, companies need to be cautious of vendor lock-in when outsourcing tokenization to protect cardholder data to their payment processor. This becomes a problem when the company decides to change processors, because the tokenized values are not transferrable. The new credit card processing company has no way to determine what credit card number is linked to each token, so the data is effectively lost.

The solution: In-house tokenization: The way to avoid this problem is for merchants to tokenize credit card data in-house using a commercial off-the-shelf tokenization solution that’s properly maintained by the vendor.

Gary Palgon,
CISSP, Vice President, Product Management, nuBridges