Q
Manage Learn to apply best practices and optimize your operations.

What do merchants need to know about PCI tokenization guidelines?

New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.

The PCI Security Standards Council (SSC) recently released new tokenization product guidelines for vendors that...

make payment data tokenization offerings. While the guidelines are written for vendors, what can merchants take away regarding essential aspects of sound tokenization products?

The Tokenization Product Security Guidelines offer 84 pages of detailed technical guidance for developers of payment card tokenization products. While most merchants won't ever deal with the inner workings of tokenization systems, the content and complexity of the guidelines do offer some insight into tokenization security that is relevant to merchants.

Merchants should understand that there are different types of tokenization. The first major category is irreversible tokens; it consists of tokens that cannot be converted back to the credit card number. These tokens may be used for authentication or logging purposes, but anyone with the token cannot use it to obtain the sensitive credit card number. The second category of tokens focuses on reversible tokens, which may be "detokenized" to retrieve the original card number. This token may be created by either strongly encrypting the credit card number, or by replacing it with a value from a secure lookup table. Merchants should understand the different types of tokenization when selecting security technologies for use in their cardholder data environments.

Merchants should also realize that tokenization is a complex process and, except in extremely unusual circumstances, they should not attempt to develop tokenization technology on their own. It's safer to acquire a product or service from a vendor that carefully follows the tokenization security guidelines.

Finally, the details within the guidelines offer a great template for procurement processes. When merchants seek a new payment card processing system and wish to use tokenization, they might simply incorporate the tokenization security guidelines by reference. For example, the contract might include language like "Products and services supplied under this agreement must comply with the Tokenization Product Security Guidelines issued by the Payment Card Industry Security Standards Council in April 2015."

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out this slideshow on the evolution of MFA tokens and learn how tokenization and encryption can help payment card security

This was last published in September 2015

Dig Deeper on Two-factor and multifactor authentication strategies

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close