Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > What are the PCI DSS compliance benefits of tokenization?
Ask The Security Expert: Questions & Answers
EMAIL THIS

What are the PCI DSS compliance benefits of tokenization?

Joel Dubin, past SearchSecurity.com expert EXPERT RESPONSE FROM: Joel Dubin, past SearchSecurity.com expert

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 13 June 2007
We've heard competitors talk about using something called tokenization to assist merchants with PCI compliance. What is tokenization, is it effective and how should we begin implementing something like this on our own?

>
Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. This token or reference number is meant to prevent the theft of the credit card number during electronic transmission and storage of a transaction. Since the reference number can't be used for transactions or fraudulent charges, there is little harm done if it's stolen.

The purpose of tokenization is to meet the Payment Card Industry (PCI) Data Security standard, which mandates that credit card data can't be stored on the retailer's point of sale (POS) device or its databases after a transaction. This is one of the 12 points in the PCI DSS, which must be met by companies processing credit cards, including banks, retailers and merchants.

Many merchants have complained that in order to be PCI compliant, they will have to make expensive upgrades or replacements to their POS systems. Tokenization makes POS systems compliant without costly changes by using a 16-digit randomly generated number resembling a card number. The only numbers from the original card are its last four digits, which become the first four of the token. Using only these four numbers, the token is still PCI compliant.

Tokenization was invented by Shift4 Corp., which developed a driver for POS software to generate and accept tokens. The only thing merchants have to do is install the driver on their POS equipment. The driver is substantially cheaper than replacing or upgrading POS hardware to encrypt card numbers, which would otherwise be required for PCI compliance.

Is tokenization effective? For the time being, it probably is. Of course, eventually some clever hacker will probably find a way to beat the system. But right now it offers both PCI compliance and some level of network security -- the best of both worlds for merchants using credit cards.

For more information:

  • Learn how network isolation can boost a PCI compliance strategy.
  • In this tip, security expert Mike Chapple discusses how PCI DSS has changed and how these changes will affect compliance and business processes.


    • BROWSE BY TAG
    Identity Management and Access Control,   Security Token and Smart Card Technology,   Enterprise Identity and Access Management,   User Authentication Services,   Security Audit, Compliance and Standards,   PCI Data Security Standard,   Expert Archive: Identity Management and Access Control,   VIEW ALL TAGS

    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



    RELATED CONTENT
    Identity Management and Access Control
    How to find and remove keyloggers and prevent spyware installation
    How to encrypt passwords using network security certificates
    Prevent meet-in-the-middle attacks with TDES encryption
    How to use single sign-on (SSO) for a server configuration
    Choosing management for Active Directory user provisioning
    LDAP signing requirements for various directory configurations
    User account best practices for an investment management website
    How to determine password strength for a website
    The pros and cons of implementing smart cards
    Keep files from being deleted by assigning read and execute permission

    Security Token and Smart Card Technology
    The pros and cons of implementing smart cards
    First Data, RSA push tokenization for payment processing
    How to log in to multiple servers with federated single sign-on (SSO)
    Best Authentication Products
    Are 'strong authentication' methods strong enough for compliance?
    Risk management must include physical-logical security convergence
    RSA researcher Ari Juels: RFID tags may be easily hacked
    Portable security storage device could replace OTP devices
    Can you combine RFID tag technology with GPS to track stolen goods?
    Security token and smart card authentication

    PCI Data Security Standard
    New data protection laws
    No major PCI DSS revision expected in 2010
    PCI QSAs, certifications to get new scrutiny
    The future of PCI DSS encryption requirements? Tokenization for PCI
    MasterCard reverses PCI compliance requirement
    PCI DSS compliance help: Using frameworks, technology to aid efforts
    Chip and PIN adoption
    Chip and PIN adoption serves lesson for U.S. payment industry
    Heartland CIO is critical of First Data's credit card tokenization plan
    Heartland CIO on end-to-end encryption, credit card tokenization

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    authentication server  (SearchSecurity.com)
    Chameleon Card  (SearchSecurity.com)
    key chain  (SearchSecurity.com)
    key fob  (SearchSecurity.com)
    key string  (SearchSecurity.com)
    national identity card  (SearchSecurity.com)
    security token  (SearchSecurity.com)
    smart card  (SearchSecurity.com)
    tokenization  (SearchSecurity.com)
    two-factor authentication  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Site Map




    All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts