The key issue here is whether the token can be used, like a credit card number, for making purchases. The whole point of the token was to avoid this situation. The token was meant to be a replacement for the card number; that token would then be useless to a thief.
First, let's quickly review tokenization and the Payment Card Industry (PCI) Data Security Standard. One of the 12 points of PCI is that credit card numbers can't be stored on a retailer's point-of-sale (POS) device or its databases after the transaction. To be PCI compliant, merchants who currently don't encrypt such data will have to install expensive encryption systems on their POS systems.
Tokenization, on the other hand, is a technology developed by Shift4 Corp., which involves an easy-to-install driver on POS systems. The driver converts the credit card into a token, or random 16-digit number resembling a credit card number. The difference is that this number is supposedly useless to anyone who might sniff it or steal it.
The PCI standard is currently being revised, and the next version is expected to be released next year. So it's hard to predict exactly how the revised standard will view tokenization. It's probably safe to say that if the token can be used like a credit card number, it probably won't then meet PCI credit card compliance standards anymore.
For a more authoritative answer, contact the PCI Security Standards Council directly. It will provide a written answer that will satisfy your auditors and the qualified security assessors (QSA) mandated by PCI to conduct annual reviews of companies using credit cards.
For more information:
- In this expert Q&A, Joel Dubin discusses the vulnerabilities of one-time password (OTP) token authentication, including man-in-the-middle attacks.
- In this learning guide, contributor Craig Norris explains how to successfully implement PCI's five toughest requirements.
This was first published in October 2007