Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What are the PCI DSS compliance benefits of tokenization?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What are the PCI DSS compliance benefits of tokenization?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 13 June 2007
We've heard competitors talk about using something called tokenization to assist merchants with PCI compliance. What is tokenization, is it effective and how should we begin implementing something like this on our own?

>
Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. This token or reference number is meant to prevent the theft of the credit card number during electronic transmission and storage of a transaction. Since the reference number can't be used for transactions or fraudulent charges, there is little harm done if it's stolen.

The purpose of tokenization is to meet the Payment Card Industry (PCI) Data Security standard, which mandates that credit card data can't be stored on the retailer's point of sale (POS) device or its databases after a transaction. This is one of the 12 points in the PCI DSS, which must be met by companies processing credit cards, including banks, retailers and merchants.

Many merchants have complained that in order to be PCI compliant, they will have to make expensive upgrades or replacements to their POS systems. Tokenization makes POS systems compliant without costly changes by using a 16-digit randomly generated number resembling a card number. The only numbers from the original card are its last four digits, which become the first four of the token. Using only these four numbers, the token is still PCI compliant.

Tokenization was invented by Shift4 Corp., which developed a driver for POS software to generate and accept tokens. The only thing merchants have to do is install the driver on their POS equipment. The driver is substantially cheaper than replacing or upgrading POS hardware to encrypt card numbers, which would otherwise be required for PCI compliance.

Is tokenization effective? For the time being, it probably is. Of course, eventually some clever hacker will probably find a way to beat the system. But right now it offers both PCI compliance and some level of network security -- the best of both worlds for merchants using credit cards.

For more information:

  • Learn how network isolation can boost a PCI compliance strategy.
  • In this tip, security expert Mike Chapple discusses how PCI DSS has changed and how these changes will affect compliance and business processes.


    • BROWSE BY TAG
    Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    Is Identity Management as a Service (IDaaS) a good idea?
    How to log in to multiple servers with federated single sign-on (SSO)
    How to confirm the receipt of an email with security protocols
    Learn about enterprise strategy for server virtualization single sign-on
    Employee information security awareness training for new IAM systems
    Can you combine RFID tag technology with GPS to track stolen goods?
    Is there a free enterprise-caliber password-management tool?
    Cryptosystem attacks that do not involve obtaining the decryption key
    Can any firm or organization get a digital signature certificate?
    Should the CTO have domain administrator access?

    Security Token and Smart Card Technology
    First Data, RSA push tokenization for payment processing
    How to log in to multiple servers with federated single sign-on (SSO)
    Best Authentication Products
    Are 'strong authentication' methods strong enough for compliance?
    Risk management must include physical-logical security convergence
    RSA researcher Ari Juels: RFID tags may be easily hacked
    Portable security storage device could replace OTP devices
    Can you combine RFID tag technology with GPS to track stolen goods?
    Security token and smart card authentication
    Embedded smart card chips are open to hack attacks

    PCI Data Security Standard
    Chip and PIN adoption
    Chip and PIN adoption serves lesson for U.S. payment industry
    Heartland CIO is critical of First Data's credit card tokenization plan
    Heartland CIO on end-to-end encryption, credit card tokenization
    Heartland CIO on PCI, E3 project
    Wireless network guidelines for PCI DSS compliance
    Visa probes tokens, encryption for PCI card data protection
    Feds push cybersecurity jobs, PCI DSS changes ahead.
    Voltage, RSA spar over tokenization, data protection
    Experts, vendors search for PCI's holy grail

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts