In your tip regarding PCI and tokenization, you say tokenization of credit card numbers can satisfy the PCI requirements...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
for storing cardholder data. I have heard that tokenization was not sufficient because the token could be used for charges and credits, just like a credit card, and therefore should be considered as a credit card number. Is this true?
The key issue here is whether the token can be used, like a credit card number, for making purchases. The whole point of the token was to avoid this situation. The token was meant to be a replacement for the card number; that token would then be useless to a thief.
First, let's quickly review tokenization and the Payment Card Industry (PCI) Data Security Standard. One of the 12 points of PCI is that credit card numbers can't be stored on a retailer's point-of-sale (POS) device or its databases after the transaction. To be PCI compliant, merchants who currently don't encrypt such data will have to install expensive encryption systems on their POS systems.
Tokenization, on the other hand, is a technology developed by Shift4 Corp., which involves an easy-to-install driver on POS systems. The driver converts the credit card into a token, or random 16-digit number resembling a credit card number. The difference is that this number is supposedly useless to anyone who might sniff it or steal it.
The PCI standard is currently being revised, and the next version is expected to be released next year. So it's hard to predict exactly how the revised standard will view tokenization. It's probably safe to say that if the token can be used like a credit card number, it probably won't then meet PCI credit card compliance standards anymore.
For a more authoritative answer, contact the PCI Security Standards Council directly. It will provide a written answer that will satisfy your auditors and the qualified security assessors (QSA) mandated by PCI to conduct annual reviews of companies using credit cards.
- In this expert Q&A, Joel Dubin discusses the vulnerabilities of one-time password (OTP) token authentication, including man-in-the-middle attacks.
- In this learning guide, contributor Craig Norris explains how to successfully implement PCI's five toughest requirements.
Related Q&A from Joel Dubin
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.