igor - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How does tokenization technology affect PCI DSS compliance?

Tokenization technology can be confusing. Expert Mike Chapple explains what the difference is between two types of tokens and how tokenization can help with PCI DSS compliance.

I'm confused about the term tokenization as it refers to authentication and the payment industry. What's the difference between a token that is used as a one-time password and a token such as what Apple Pay uses? And how do compliance bodies such as PCI DSS view tokenization technology?

Tokenization is one of my favorite security technologies, particularly when it comes to reducing the scope of PCI DSS compliance. Before diving into how that technology works, let me clear up one question that often confuses people. The term "token" is used two different ways in the security field. Tokens may refer to physical objects that people carry around, typically on a key chain, that generate one-time passwords for use in multifactor authentication systems. Those aren't the tokens that we're talking about when we refer to tokenization technology.

The tokens used in tokenization are alphanumeric codes that are used in place of sensitive data. Tokenization technology, like that used in Apple Pay and many newer point-of-sale (POS) systems, uses these codes to replace credit card numbers in the retailer's records. Implemented properly, this technology ensures that no credit card numbers ever touch the retailer's systems and reduces the scope of its PCI DSS compliance.

For example, a customer might walk up to a cash register at a store using tokenization technology. The customer swipes a credit card through the self-service card reader. That card reader might use point-to-point encryption technology to encrypt the sensitive credit card information at the time the customer swipes the card using an encryption key known only to the bank. That encrypted credit card number then passes through the retailers system and is sent to the bank for processing. At the same time, the POS system records a token value in its records that the bank could then tie back to the specific credit card transaction. The POS system never sees an unencrypted credit card number, so it remains out of scope for PCI DSS compliance.

The Payment Card Industry Security Standards Council recognizes the value of tokenization technology and supports its use to improve security and reduce the scope of compliance efforts. For more information on the Council's position, see the PCI DSS Tokenization Guidelines.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Get more specific about what Apple Pay tokenization means for PCI DSS compliance

Learn what merchants need to know about PCI DSS guidelines for tokenization

Check out a basic explanation about tokenization and the best time to use it

This was last published in November 2015

Dig Deeper on PCI Data Security Standard