The Payment Card Industry Security Standards Council intends to clear up confusion regarding tokenization, a process designed to protect payment card security.
The council on Aug. 12 was scheduled to release PCI Data Security Standard tokenization guidelines designed to help merchants understand how to incorporate tokenization into their security systems and PCI DSS-compliance efforts.
Tokenization involves the random generation of proxy numbers to replace actual credit card numbers at the point of sale to improve data security. The process, however, has lacked standards.
“Many different companies are selling a tokenization [service], and all have merit and are needed,” Bob Russo, council general manager, tells ISO&Agent Weekly. “But the merchant needs help in knowing which way to do tokenization may be best for them.”
Tokenization technology replaces a primary account number with a surrogate value called a “token.” Subsequently, if the tokenization is properly used, a merchant would not need to retain the primary account number in the payments system used at the business once the transaction is processed, the PCI council states in its announcement.
Eight months of research by a council special interest group and an accompanying task force of tokenization vendors and merchants wanting to use the security tool resulted in “a paper that serves as a beginning point by telling you what you need to know before you start using tokenization,” Russo says.
The council establishes and uses special interest groups to analyze security and fraud topics that participating organizations of the council view as essential.
“You still have to comply with PCI-DSS. Tokenization is not an alternative to the standards,” Russo adds. “But this will add another layer of security.”
The guidelines should help merchants understand the options for tokenization, what fits their business needs and whether other aspects of the security system are not comply with standards. They also can benefit tokenization service providers and assessors by informing them of how the technology can help merchants limit or eliminate system components that process, store or transmit cardholder data, thus reducing the scope of a PCI-DSS assessment, the council stated in a press release.
Tokenization is not “a magic bullet” to keep hackers out of data systems, but it can provice a valuable layer in a data-security plan, Russo warns
“It’s another technique, but whether it can be solid in the long run remains to be seen,” he says.
Tokenization takes the encryption method and scrambles it, but someone has to have the keys to that encryption, Russo explains. The process can take different forms, generating tokens randomly or creating them for various sequences of the credit card numbers, such as the first four or the last four numbers only, Russo says.
“It may be more secure and seem to have no key to break it in those instances, but are the random numbers associated with the credit card numbers stored in a secure place?” Russo asks.
Julie Conroy McNelley of Boston-based Aite Group, an independent payments industry research firm, echoes the contention that merchants should not view tokenization as a final security solution.
“Nothing is foolproof because if someone has the data, someone else can get it,” she says. “But the new guidelines are a good thing because [information about tokenization] was a big gap in the most recent PCI documents.”
The key in developing security is to make it as difficult as possible for a hacker to have access, McNelley says. “If you make it hard enough, the bad guys will look for another path of least resistance,” she adds.
The PCI guidelines are important for smaller merchants because security is not always “top of mind” for those thinking more about keeping their businesses going day-to-day than in understanding how one security breach could ruin them, McNelley says.
When vendors first introduced tokenization, companies selling other fraud-security techniques were concerned about becoming obsolete, Russo says. But over time, it has become apparent various layers of security are needed to keep data safe.
