SAN FRANCISCO -- Tokenization technology has the potential to protect credit card data while reducing the scope of a PCI DSS assessment, but a lack of standards and some complexity issues are cause for concern, panelists said
The technology, which replaces payment card data with a unique value or token after authorization has taken place, is being touted by multiple vendors and several different payment processors. It supports the long-term goal of not exposing any customer data, said John Pescatore, vice president and analyst at Stamford, Conn.-based Gartner Inc. Tokenization also supports the next biggest challenge: the process of segmenting networks to keep credit card data in a centralized location.
"Tokenization fits in as a strategy of shrinking the size of cardholder data environment and minimizing the scope of the assessment," Pescatore said.
Minimizing the scope of an assessment was a priority for Amtrak, a Level-1 merchant that achieved PCI DSS compliance last year. Ron Baklarz, CISO of Amtrak, attended the RSA session to determine if tokenization could be integrated into the rail service's systems. Baklarz said the technology looks promising, but it's way too soon to consider deployment plans. Amtrak already took steps to rearchitect its networks to isolate its revenue systems from the rest of the network prior to the PCI DSS assessment, so adding tokenization could be costly and introduce other risks, he said.
"There are too many things that can go wrong when you put all your eggs in one basket," Baklarz said. "There's a lack of standardization and too much going on that can affect business analytics."
Large merchants who do business with more than one payment processor wonder whether tokens can interchangeably work with more than one payment processor tokenization system, said Ramon Krikken, an analyst at Midvale, Utah-based Burton Group. So far the process is far from standardized, he said.
Payment and encryption software vendors are the most likely to sell tokenization systems. Shift4 Corp. was the first to market with tokenization technology and 3Delta Systems Inc. has sold tokenization products since 2003. Payment processors are also heavily pushing tokenization. First Data Corp. and RSA, the security division of EMC Corp., have released an encryption and tokenization service that takes the card payment information, converts it into a token and then stores the sensitive data in a server on First Data's network. Voltage Security Inc. is also selling a system that combines encryption and tokenization. The company is partnering with Heartland Payment Systems Inc. to sell services to its customers.
Different kinds of tokenization methods exist. Nearly every tokenization system has a different algorithm resulting in different token formats, Krikken said. Some technologies replace part of a credit card number, others replace the entire number with a random string. These practices could potentially create problems when business units want to analyze buying habits or review customer return records.
Tokenization has helped healthcare companies protect Social Security numbers in recent years, Krikken said. One of the lessons learned by early adopters is to centralize confidential information to reduce the risk of data leakage. In addition to the tokenization server, merchants will want to deploy an event management tool for auditing and monitoring access to the tokens, he said.
"You can audit the access to the actual card information," Krikken said. "The token database itself is encrypted strongly."