Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What are the PCI DSS compliance benefits of tokenization?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What are the PCI DSS compliance benefits of tokenization?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 13 June 2007
We've heard competitors talk about using something called tokenization to assist merchants with PCI compliance. What is tokenization, is it effective and how should we begin implementing something like this on our own?

>
EXPERT RESPONSE
Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. This token or reference number is meant to prevent the theft of the credit card number during electronic transmission and storage of a transaction. Since the reference number can't be used for transactions or fraudulent charges, there is little harm done if it's stolen.

The purpose of tokenization is to meet the Payment Card Industry (PCI) Data Security standard, which mandates that credit card data can't be stored on the retailer's point of sale (POS) device or its databases after a transaction. This is one of the 12 points in the PCI DSS, which must be met by companies processing credit cards, including banks, retailers and merchants.

Many merchants have complained that in order to be PCI compliant, they will have to make expensive upgrades or replacements to their POS systems. Tokenization makes POS systems compliant without costly changes by using a 16-digit randomly generated number resembling a card number. The only numbers from the original card are its last four digits, which become the first four of the token. Using only these four numbers, the token is still PCI compliant.

Tokenization was invented by Shift4 Corp., which developed a driver for POS software to generate and accept tokens. The only thing merchants have to do is install the driver on their POS equipment. The driver is substantially cheaper than replacing or upgrading POS hardware to encrypt card numbers, which would otherwise be required for PCI compliance.

Is tokenization effective? For the time being, it probably is. Of course, eventually some clever hacker will probably find a way to beat the system. But right now it offers both PCI compliance and some level of network security -- the best of both worlds for merchants using credit cards.

For more information:

  • Learn how network isolation can boost a PCI compliance strategy.
  • In this tip, security expert Mike Chapple discusses how PCI DSS has changed and how these changes will affect compliance and business processes.


    • Sound Off! -   Be the first to post a message to Sound Off!


    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    CardSpace vs. user IDs and passwords
    Biometrics vs. biostatistics
    What are the dangers of using radio frequency identification (RFID) tags?
    What are the risks of connecting a Web service to an external system via SSL?
    What should an internal support model for identity management look like?
    What precautions should be taken if biometric data is compromised?
    How to choose the right biometric security product
    How to prevent hackers from accessing your router security password
    How does identity propagation work?
    Is it secure to use .NET membership class for user authentication?

    Tokens and Smart Cards
    Product review: Secure Computing SafeWord 2008
    Video: Changes ahead for MIT Kerberos Consortium
    Kerberos: Authentication with some drawbacks
    What are the dangers of using radio frequency identification (RFID) tags?
    Smart card deployment: How to know if it's smart for your enterprise
    Can tokenization of credit card numbers satisfy PCI requirements?
    Is there a way to bridge physical and logical security without using smart cards or biometrics?
    Preparing for integrated physical and logical access control: The common authenticator
    Are one-time password tokens susceptible to man-in-the-middle attacks?
    Compliance benefits of tokenization

    PCI Data Security Standard
    PCI Requirement 6.6 has merchants gearing up
    PCI compliance extends to car washes, quick lubes
    PCI council to launch assessor quality assurance program
    The 'security standards dilemma': Network segmentation and PCI Compliance
    NSS Labs to focus research on PCI technologies
    PCI Confusion
    Trio indicted in restaurant data security breach
    PCI portal aims compliance guidance at smaller merchants
    PCI compliance and Web applications: Code review or firewalls?
    How to test the security of personal details submitted to a website

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice

    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts