Simplifying PCI Compliance with Tokenization

What’s the latest update on PCI DSS compliant standards? After little to no changes for years, save the virtualization update, the PCI Security Standards Council (PCI SSC) recently published a document on new technical standards that impact PCI DSS compliance, the PCI DSS Tokenization Guidelines Information Supplement. Recognizing tokenization as a way to reduce the scope of PCI DSS, the council’s guide outlines how to stay PCI compliant while using a tokenization system in a cardholder data environment (CDE).

To reduce the storage of sensitive cardholder data (CD), tokenization replaces a Primary Account Number (PAN) with a “token” value. These token values are not sensitive. Instead of encryption, the complete replacement of PANs can provide a different security method for many companies that conduct credit card transactions.

Merchants no longer need to store PAN in their CDE or processing system because a non-sensitive token value subsequently takes its place. Tokenization ensures that sensitive information is never transmitted to a third-party outsourcing provider in any form of code (encryption).

Example of High-Level Tokenization Process (Source: PCIsecuritystandards.org)

The PCI SSC tokenization guide has an example of a high-level tokenization process although they acknowledge others are possible. The steps include:

1. The requesting application passes a PAN with authentication information to a tokenization system.
2. The tokenization system verifies the authentication information. If verification fails, the tokenization process stops and information is logged. If verification succeeds, the system continues.
3. The tokenization system generates a token associated with the PAN to record to the card data vault.
4. The token is returned to the requesting application.

While tokenization limits PCI scope, there are still PCI security requirements, as the council outlines. Authentication and limited access still apply, as well as monitoring, tracking and logging to detect unauthorized activity.

The PCI SSC recommends tokenization be used in partnership with PCI data security standards and not viewed as a replacement or alternative. The council is merely providing more guidance on using a method to advance the security of merchant CDE.

The best advice for managing a PCI compliant environment is to reduce the scope of the CDE. By limiting system components that store and process sensitive customer data, PCI compliance becomes much more simple to achieve for e-commerce or other merchants that process credit card information.