My organization has a client that currently stores credit card details with us, but we are going to transition...
them to storing just tokens instead and letting the credit card service handle the personal card information.From a PCI DSS compliance perspective, what is the difference between passing credit card information through our system and redirecting the customer to another system for input values?
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The news may be quite good for your organization. Tokenization is the process of replacing a credit card number with a replacement value that is unrelated to the card number itself. Properly implemented tokenization systems make it virtually impossible to reverse-engineer the tokenization process and retrieve the original credit card number.
In this case, your client is, and will always be, subject to PCI DSS merchant requirements under the terms of its contract with its bank. The client may, however, take steps to reduce its compliance burden by limiting the amount of card information that it handles and the scope of the systems involved in those transactions. If the organization is able to successfully outsource credit card processing and never handle cardholder information, its compliance burden is reduced to a minimum set of practices to ensure that the appropriate policy and administrative controls are in place, as outlined in Self-Assessment Questionnaire A.
Your organization, on the other hand, is not considered a merchant because it doesn't accept credit cards on its own behalf. Up until now, you were a service provider under PCI DSS requirements because you stored credit card information on behalf of a client, the merchant. The applicable language in PCI DSS says that merchants may use service providers to "store, process or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers." Cardholder data is specifically defined as credit card numbers, cardholder names, expiration dates and service codes.
If the client is no longer using your systems to store, process or transmit cardholder information, which would be the case if tokenization is used, your organization is probably no longer considered a service provider. If that is the case, you have no obligations under the PCI DSS service provider requirements.
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.