In your tip regarding PCI and tokenization, you say tokenization of credit card numbers can satisfy the PCI requirements...
for storing cardholder data. I have heard that tokenization was not sufficient because the token could be used for charges and credits, just like a credit card, and therefore should be considered as a credit card number. Is this true?
The key issue here is whether the token can be used, like a credit card number, for making purchases. The whole point of the token was to avoid this situation. The token was meant to be a replacement for the card number; that token would then be useless to a thief.
First, let's quickly review tokenization and the Payment Card Industry (PCI) Data Security Standard. One of the 12 points of PCI is that credit card numbers can't be stored on a retailer's point-of-sale (POS) device or its databases after the transaction. To be PCI compliant, merchants who currently don't encrypt such data will have to install expensive encryption systems on their POS systems.
Tokenization, on the other hand, is a technology developed by Shift4 Corp., which involves an easy-to-install driver on POS systems. The driver converts the credit card into a token, or random 16-digit number resembling a credit card number. The difference is that this number is supposedly useless to anyone who might sniff it or steal it.
The PCI standard is currently being revised, and the next version is expected to be released next year. So it's hard to predict exactly how the revised standard will view tokenization. It's probably safe to say that if the token can be used like a credit card number, it probably won't then meet PCI credit card compliance standards anymore.
For a more authoritative answer, contact the PCI Security Standards Council directly. It will provide a written answer that will satisfy your auditors and the qualified security assessors (QSA) mandated by PCI to conduct annual reviews of companies using credit cards.
- In this expert Q&A, Joel Dubin discusses the vulnerabilities of one-time password (OTP) token authentication, including man-in-the-middle attacks.
- In this learning guide, contributor Craig Norris explains how to successfully implement PCI's five toughest requirements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Joel Dubin
Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading
Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading