The Payment Card Industry Security Standards Council has issued guidelines to clear up confusion around tokenization, a process for obscuring sensitive payment card data.
The council, which manages the PCI data security standard, released its new guidelines Friday. Tokenization involves the generation of random proxy numbers to replace actual credit card numbers at the point of sale. The process improves security by removing sensitive data from the payment process, but there are multiple ways of doing it.
"Many different companies are selling a tokenization [service], and all have merit and are needed," says Bob Russo, the PCI council's general manager. "But the merchant needs help in knowing which way to do tokenization may be best for them."
The council produced its paper after eight months of research by tokenization vendors and merchants. The guidance "serves as a beginning point by telling you what you need to know before you start using tokenization," Russo says.
"You still have to comply with" the PCI standard, he says. "Tokenization is not an alternative … but this will add another layer of security."
Merchants should not view tokenization as a complete approach to security, says Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC.
"Nothing is foolproof," she says. "But the new guidelines are a good thing because [information about tokenization] was a big gap in the most recent PCI documents."
Merchants need to make it as difficult as possible for a hacker to have access to card data, McNelley says. "If you make it hard enough, the bad guys will look for another path of least resistance."
The PCI guidelines are important for smaller merchants because security is not always "top of mind" for them, McNelley says.
