Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How can tokenization and encryption help payment card security?

Tokenization and end-to-end encryption are the new big technologies for payment care security. Expert Mike Chapple explains how they may also ease compliance burdens.

There is a lot of discussion around improving payment card security since there have been so many breaches in the retail sector. The hot topics for improvement are tokenization and end-to-end encryption. Is it likely that PCI DSS will include them in future updates? Should my company start preparing for this move? If so, what steps should we take?

Tokenization and end-to-end encryption are both strong security technologies and play important roles in limiting the scope of PCI DSS compliance within an organization. PCI DSS does not mandate the use of these technologies and I don't expect that to become the case, but merchants who adopt them may find these technologies can ease compliance burdens.

Tokenization technology replaces sensitive information, such as a credit card number, with an otherwise meaningless value or "token" that may be stored in a database. The token typically has the same format as the data element so it remains compatible with current card processing systems. When authorizing a transaction, the merchant receives a token value from the payment gateway for that transaction. This token uniquely identifies the transaction and, when presented, allows the bank to retrieve transaction details. The merchant then stores the token in its database for future reference. The merchant does not store the actual credit card number, which reduces the amount of sensitive information stored on merchant systems. Even if an intruder steals the database contents, the token values are worthless because they cannot be used to initiate a new transaction.

End-to-end encryption goes a step further by keeping all payment card information out of merchant systems by fully encrypting the transaction chain from the swipe terminal to the bank. When a customer or employee swipes a credit card or keys it into a terminal, hardware within the terminal encrypts the card details using an encryption key known only to the payment processor. The merchant never has electronic access to sensitive information and therefore bears little responsibility for transaction security.

Both tokenization and end-to-end encryption are valuable tools in protecting sensitive payment card transactions; they're not mandated by PCI DSS compliance and probably won't be any time soon, but they worth exploring to better safeguard payment data. Expect to see their adoption continue to increase as merchants search for ways to reduce the burden of PCI DSS compliance programs.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Take a look at the pros and cons of end-to-end encryption and tokenization

This was last published in April 2015

Dig Deeper on PCI Data Security Standard