igor - Fotolia
I'm confused about the term tokenization as it refers to authentication and the payment industry. What's the difference between a token that is used as a one-time password and a token such as what Apple Pay uses? And how do compliance bodies such as PCI DSS view tokenization technology?
Tokenization is one of my favorite security technologies, particularly when it comes to reducing the scope of PCI DSS compliance. Before diving into how that technology works, let me clear up one question that often confuses people. The term "token" is used two different ways in the security field. Tokens may refer to physical objects that people carry around, typically on a key chain, that generate one-time passwords for use in multifactor authentication systems. Those aren't the tokens that we're talking about when we refer to tokenization technology.
The tokens used in tokenization are alphanumeric codes that are used in place of sensitive data. Tokenization technology, like that used in Apple Pay and many newer point-of-sale (POS) systems, uses these codes to replace credit card numbers in the retailer's records. Implemented properly, this technology ensures that no credit card numbers ever touch the retailer's systems and reduces the scope of its PCI DSS compliance.
For example, a customer might walk up to a cash register at a store using tokenization technology. The customer swipes a credit card through the self-service card reader. That card reader might use point-to-point encryption technology to encrypt the sensitive credit card information at the time the customer swipes the card using an encryption key known only to the bank. That encrypted credit card number then passes through the retailers system and is sent to the bank for processing. At the same time, the POS system records a token value in its records that the bank could then tie back to the specific credit card transaction. The POS system never sees an unencrypted credit card number, so it remains out of scope for PCI DSS compliance.
The Payment Card Industry Security Standards Council recognizes the value of tokenization technology and supports its use to improve security and reduce the scope of compliance efforts. For more information on the Council's position, see the PCI DSS Tokenization Guidelines.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Get more specific about what Apple Pay tokenization means for PCI DSS compliance
Learn what merchants need to know about PCI DSS guidelines for tokenization
Check out a basic explanation about tokenization and the best time to use it
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading