We are considering the implementation of a credit card tokenization system to support Payment Card Industry Data...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Security Standard (PCI DSS) compliance. For our environment, tokenization would ease compatibility with interconnected systems, whereas encryption would be much more challenging. However, does tokenization guarantee that we'll be able to scope out systems that would otherwise have to receive card data? Tokenization is a fantastic way to reduce PCI scope for an organization. Systems that use tokenization essentially replace sensitive information (in this case, a credit card number) with nonsensitive information (a dummy data value known as a "token"). However, depending upon the specific tokenization mechanism used, it may be possible to reverse the process and retrieve the credit card number from the token.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
The major benefit tokenization provides is that tokens (unless they can be reversed) are not sensitive information, and systems that need some way to reference a credit card number can store tokens without falling into scope of PCI DSS compliance. The situation you outline in your question (feeding data to external systems) sounds like an appropriate use of tokenization.
The PCI Security Standards Council, in its Tokenization Guidelines, outlines eight specific characteristics that tokenization solutions must meet:
- Tokenization systems must not reverse tokens to credit card numbers for any component outside of the organization's cardholder data environment.
- Systems performing the tokenization must be on secure internal networks that are isolated from out-of-scope networks.
- Untrusted communication must be prohibited in and out of the tokenization system.
- The solution must be built upon strong cryptography.
- The solution must meet the access control and authentication requirements in PCI DSS Sections 7 and 8.
- The solution must be securely configured with vulnerabilities remediated.
- The solution must implement the organization's data retention policy by secure deleting cardholder data when it is no longer necessary for meeting business requirements.
- The solution must provide appropriate monitoring, alerting and logging capabilities.
If your tokenization system meets these criteria, it is likely a great way to reduce the scope of your cardholder data environment and ease your PCI DSS compliance process.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
It's hard to tell if a company is a HIPAA business associate, but a closer look at HHS documents helps. Expert Mike Chapple discusses a specific case...continue reading
There was speculation in the security world over whether the FedRAMP certification would be helpful or not. Now that it's in full use, Mike Chapple ...continue reading
Medical device companies are part of the health industry, but does that make them a HIPAA covered entity or business associate? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.