Ask the Expert

Can tokenization of credit card numbers satisfy PCI requirements?

In your tip regarding PCI and tokenization, you say tokenization of credit card numbers can satisfy the PCI requirements for storing cardholder data. I have heard that tokenization was not sufficient because the token could be used for charges and credits, just like a credit card, and therefore should be considered as a credit card number. Is this true?

    Requires Free Membership to View

The key issue here is whether the token can be used, like a credit card number, for making purchases. The whole point of the token was to avoid this situation. The token was meant to be a replacement for the card number; that token would then be useless to a thief.

First, let's quickly review tokenization and the Payment Card Industry (PCI) Data Security Standard. One of the 12 points of PCI is that credit card numbers can't be stored on a retailer's point-of-sale (POS) device or its databases after the transaction. To be PCI compliant, merchants who currently don't encrypt such data will have to install expensive encryption systems on their POS systems.

Tokenization, on the other hand, is a technology developed by Shift4 Corp., which involves an easy-to-install driver on POS systems. The driver converts the credit card into a token, or random 16-digit number resembling a credit card number. The difference is that this number is supposedly useless to anyone who might sniff it or steal it.

The PCI standard is currently being revised, and the next version is expected to be released next year. So it's hard to predict exactly how the revised standard will view tokenization. It's probably safe to say that if the token can be used like a credit card number, it probably won't then meet PCI credit card compliance standards anymore.

For a more authoritative answer, contact the PCI Security Standards Council directly. It will provide a written answer that will satisfy your auditors and the qualified security assessors (QSA) mandated by PCI to conduct annual reviews of companies using credit cards.

For more information:

This was first published in October 2007

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: