Manage Learn to apply best practices and optimize your operations.

What do merchants need to know about PCI tokenization guidelines?

New guidance from the PCI SSC includes some essential aspects of tokenization security and what merchants need to know about tokenization products.

The PCI Security Standards Council (SSC) recently released new tokenization product guidelines for vendors that...

make payment data tokenization offerings. While the guidelines are written for vendors, what can merchants take away regarding essential aspects of sound tokenization products?

The Tokenization Product Security Guidelines offer 84 pages of detailed technical guidance for developers of payment card tokenization products. While most merchants won't ever deal with the inner workings of tokenization systems, the content and complexity of the guidelines do offer some insight into tokenization security that is relevant to merchants.

Merchants should understand that there are different types of tokenization. The first major category is irreversible tokens; it consists of tokens that cannot be converted back to the credit card number. These tokens may be used for authentication or logging purposes, but anyone with the token cannot use it to obtain the sensitive credit card number. The second category of tokens focuses on reversible tokens, which may be "detokenized" to retrieve the original card number. This token may be created by either strongly encrypting the credit card number, or by replacing it with a value from a secure lookup table. Merchants should understand the different types of tokenization when selecting security technologies for use in their cardholder data environments.

Merchants should also realize that tokenization is a complex process and, except in extremely unusual circumstances, they should not attempt to develop tokenization technology on their own. It's safer to acquire a product or service from a vendor that carefully follows the tokenization security guidelines.

Finally, the details within the guidelines offer a great template for procurement processes. When merchants seek a new payment card processing system and wish to use tokenization, they might simply incorporate the tokenization security guidelines by reference. For example, the contract might include language like "Products and services supplied under this agreement must comply with the Tokenization Product Security Guidelines issued by the Payment Card Industry Security Standards Council in April 2015."

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Check out this slideshow on the evolution of MFA tokens and learn how tokenization and encryption can help payment card security

This was last published in September 2015

Dig Deeper on Two-factor and multifactor authentication strategies