The PCI Security Standards Council (SSC) recently released new tokenization product guidelines for vendors that make payment data tokenization offerings. While the guidelines are written for vendors, what can merchants take away regarding essential aspects of sound tokenization products?
The Tokenization Product Security Guidelines offer 84 pages of detailed technical guidance for developers of payment card tokenization products. While most merchants won't ever deal with the inner workings of tokenization systems, the content and complexity of the guidelines do offer some insight into tokenization security that is relevant to merchants.
Merchants should understand that there are different types of tokenization. The first major category is irreversible tokens; it consists of tokens that cannot be converted back to the credit card number. These tokens may be used for authentication or logging purposes, but anyone with the token cannot use it to obtain the sensitive credit card number. The second category of tokens focuses on reversible tokens, which may be "detokenized" to retrieve the original card number. This token may be created by either strongly encrypting the credit card number, or by replacing it with a value from a secure lookup table. Merchants should understand the different types of tokenization when selecting security technologies for use in their cardholder data environments.
Merchants should also realize that tokenization is a complex process and, except in extremely unusual circumstances, they should not attempt to develop tokenization technology on their own. It's safer to acquire a product or service from a vendor that carefully follows the tokenization security guidelines.
Finally, the details within the guidelines offer a great template for procurement processes. When merchants seek a new payment card processing system and wish to use tokenization, they might simply incorporate the tokenization security guidelines by reference. For example, the contract might include language like "Products and services supplied under this agreement must comply with the Tokenization Product Security Guidelines issued by the Payment Card Industry Security Standards Council in April 2015."
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Dig Deeper on Two-factor and multifactor authentication strategies
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.