Compliance benefits of tokenization

Tokenization is a technology that enables a token to replace a credit card number in an electronic transaction. This token or reference number is meant to prevent the theft of the credit card number during electronic transmission and storage of a transaction. Since the reference number can't be used for transactions or fraudulent charges, there is little harm done if it's stolen.

For more information: Learn how to secure and implement one-time password tokens to provide effective two-factor authentication. Security expert, Mike Rothman discusses how PCI DSS compensating controls play a role in building a strong security program. Learn how using the Secure Hashing Algorithm can help you encrypt sensitive data and become PCI DSS compliant.

The purpose of tokenization is to meet the Payment Card Industry (PCI) Data Security standard, which mandates that credit card data can't be stored on the retailer's point of sale (POS) device or it's databases after a transaction. This is one of the 12 points in the PCI DSS, which must be met by companies processing credit cards, including banks, retailers and merchants.

Many merchants have complained that in order to be PCI compliant, they will have to make expensive upgrades or replacements to their POS systems. Tokenization makes POS systems compliant without costly changes by using a 16-digit randomly generated number resembling a card number. The only numbers from the original card are it's last four digits, which become the first four of the token. Using only these four numbers, the token is still PCI compliant.

Tokenization was invented by Shift4 Corp., which developed a driver for POS software to generate and accept tokens. The only thing merchants have to do is install the driver on their POS equipment. The driver is substantially cheaper than replacing or upgrading POS hardware to encrypt card numbers, which would otherwise be required for PCI compliance.

Is tokenization effective? For the time being, it probably is. Of course, eventually some clever hacker will probably find a way to beat the system. But right now it offers both PCI compliance and some level of network security -- the best of both worlds for merchants using credit cards.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Learn from NIST: Best practices in security program management Best practices for application-level firewall selection and deployment The 'security standards dilemma': Network segmentation and PCI Compliance Penetration testing: Helping your compliance efforts Worst practices: Recognizing the biggest compliance mistakes E-discovery management: How IT should interact with the legal team E-discovery management: How IT should interact with the legal team Incident response success in five quick steps The forensics mindset: Making life easier for investigators How to apply ISO 27002 to PCI DSS compliance Tokens and Smart Cards Product review: Secure Computing SafeWord 2008 Video: Changes ahead for MIT Kerberos Consortium Kerberos: Authentication with some drawbacks What are the dangers of using radio frequency identification (RFID) tags? Smart card deployment: How to know if it's smart for your enterprise Can tokenization of credit card numbers satisfy PCI requirements? Is there a way to bridge physical and logical security without using smart cards or biometrics? Preparing for integrated physical and logical access control: The common authenticator Are one-time password tokens susceptible to man-in-the-middle attacks? What are the PCI DSS compliance benefits of tokenization? PCI Data Security Standard PCI compliance extends to car washes, quick lubes PCI council to launch assessor quality assurance program The 'security standards dilemma': Network segmentation and PCI Compliance NSS Labs to focus research on PCI technologies PCI Confusion Trio indicted in restaurant data security breach PCI portal aims compliance guidance at smaller merchants PCI compliance and Web applications: Code review or firewalls? How to test the security of personal details submitted to a website Verizon issues PCI self-assessment, support docs RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary authentication server  (SearchSecurity.com) Chameleon Card  (SearchSecurity.com) key chain  (SearchSecurity.com) key fob  (SearchSecurity.com) key string  (SearchSecurity.com) national identity card  (SearchSecurity.com) security token  (SearchSecurity.com) smart card  (SearchSecurity.com) tokenization  (SearchSecurity.com) two-factor authentication  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.