Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to avoid PCI DSS service provider requirements using tokenization

Expert Mike Chapple explains why an organization storing tokens for clients may no longer be subject to PCI DSS service provider requirements.

My organization has a client that currently stores credit card details with us, but we are going to transition...

them to storing just tokens instead and letting the credit card service handle the personal card information.From a PCI DSS compliance perspective, what is the difference between passing credit card information through our system and redirecting the customer to another system for input values?

Ask the Expert

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

The news may be quite good for your organization. Tokenization is the process of replacing a credit card number with a replacement value that is unrelated to the card number itself. Properly implemented tokenization systems make it virtually impossible to reverse-engineer the tokenization process and retrieve the original credit card number.

In this case, your client is, and will always be, subject to PCI DSS merchant requirements under the terms of its contract with its bank. The client may, however, take steps to reduce its compliance burden by limiting the amount of card information that it handles and the scope of the systems involved in those transactions. If the organization is able to successfully outsource credit card processing and never handle cardholder information, its compliance burden is reduced to a minimum set of practices to ensure that the appropriate policy and administrative controls are in place, as outlined in Self-Assessment Questionnaire A.

Your organization, on the other hand, is not considered a merchant because it doesn't accept credit cards on its own behalf. Up until now, you were a service provider under PCI DSS requirements because you stored credit card information on behalf of a client, the merchant. The applicable language in PCI DSS says that merchants may use service providers to "store, process or transmit cardholder data on their behalf, or to manage components such as routers, firewalls, databases, physical security, and/or servers." Cardholder data is specifically defined as credit card numbers, cardholder names, expiration dates and service codes.

If the client is no longer using your systems to store, process or transmit cardholder information, which would be the case if tokenization is used, your organization is probably no longer considered a service provider. If that is the case, you have no obligations under the PCI DSS service provider requirements.

This was last published in March 2014

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.