The PCI SSC definition of Tokenization: “Tokenization technology replaces a Primary Account Number (PAN) with a surrogate value called a “token”. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values, meaning a properly implemented Tokenization solution can reduce or remove the need for a merchant to retain PAN in their environment once the initial transaction has been processed.
Merchants are ultimately responsible for the proper implementation of any Tokenization solution they use, including its deployment and operation, and validation of its Tokenization environment as part of their annual Payment Card Industry Data Security Standard (PCI DSS) compliance assessment.
Organizations should carefully evaluate any solution before implementation to fully understand the potential impact to their CDE (Cardholder Data Environment). The paper helps guide merchants through this process by:
- Outlining explicit scoping elements for consideration
- Providing recommendations on scope reduction, the tokenization process itself, deployment and operation factors
- Detailing best practices for selecting a tokenization solution Defining the domains, or areas that specific controls need to be applied and validated, where tokenization could potentially minimize the card data environment
This additional guidance also benefits tokenization service providers and assessors by informing them on how the technology can help their merchant customers limit or eliminate system components that process, store, or transmit Cardholder data, and reduce the scope of the CDE and thus the scope of a PCI DSS assessment.
“We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”
Jeremy King, European director of the PCI SSC, said the process is challenging because not all cards have a 16-digit primary account number (PAN). Some Tokenization methods are more applicable than others according to the card in question. Some tokens try to preserve the format of the original PAN in order to maintain compatibility with internal processing applications, while other approaches may generate a new truncated or randomised number, King said.
“Systems that allow you to get back to the PAN need to be properly protected, and are in scope,” King said.
Tokenisation can have a dramatic reduction on the requirements of PCI DSS. In simple terms if a Merchant has no credit card data stored the scope of PCI DSS is reduced.
For the majority of Merchants reducing the scope of PCI DSS by not storing Credit Card Data can mean the difference between a relatively simple Self Assessment Questionnaire (SAQ) e.g. SAQ A and the highly complex and extremely difficult SAQ D.
The PCI SSC Tokenization Information Supplement can be downloaded here.