Problem solve Get help with specific problems with your technologies, process and projects.

Can tokenization of credit card numbers satisfy PCI requirements?

In this expert response, Joel Dubin discusses whether or not tokenization can meet PCI DSS standards for storing credit card data.

In your tip regarding PCI and tokenization, you say tokenization of credit card numbers can satisfy the PCI requirements...

for storing cardholder data. I have heard that tokenization was not sufficient because the token could be used for charges and credits, just like a credit card, and therefore should be considered as a credit card number. Is this true?

The key issue here is whether the token can be used, like a credit card number, for making purchases. The whole point of the token was to avoid this situation. The token was meant to be a replacement for the card number; that token would then be useless to a thief.

First, let's quickly review tokenization and the Payment Card Industry (PCI) Data Security Standard. One of the 12 points of PCI is that credit card numbers can't be stored on a retailer's point-of-sale (POS) device or its databases after the transaction. To be PCI compliant, merchants who currently don't encrypt such data will have to install expensive encryption systems on their POS systems.

Tokenization, on the other hand, is a technology developed by Shift4 Corp., which involves an easy-to-install driver on POS systems. The driver converts the credit card into a token, or random 16-digit number resembling a credit card number. The difference is that this number is supposedly useless to anyone who might sniff it or steal it.

The PCI standard is currently being revised, and the next version is expected to be released next year. So it's hard to predict exactly how the revised standard will view tokenization. It's probably safe to say that if the token can be used like a credit card number, it probably won't then meet PCI credit card compliance standards anymore.

For a more authoritative answer, contact the PCI Security Standards Council directly. It will provide a written answer that will satisfy your auditors and the qualified security assessors (QSA) mandated by PCI to conduct annual reviews of companies using credit cards.

More on this topic


This was last published in October 2007

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.