Last week, the Payment Card Industry Security Standards Council released new guidelines related to the security of tokenization products. The guidelines are a set of technical best practices for evaluating tokenization products that will be used to replace the primary account number (PAN), commonly known as the full credit card number, with a substitute valued called a “token.”
The guidelines provide best practices, evaluation procedures and guidance in five different areas:
- General Guidelines: Includes thirteen general guidelines that apply to all forms of tokenization.
- Token Generation: Provides recommendations for securely generating tokens and applies to all devices, processes, mechanisms and algorithms used to create tokens.
- Token Mapping: Addresses guidelines for reversible tokens that can be mapped back to their original PANs and includes access controls and logging requirements for de-tokenization requests.
- Card Data Vault: These recommendations are only applicable to reversible tokens and mandates encryption of the PAN and access controls be used to access the vault where the PAN-to-token table is stored.
- Cryptographic Key Management: These define key management practices for all encryption performed by the tokenization product.
Many businesses are using payment tokens in order to reduce the size and complexity of their PCI cardholder data environment. Separate and apart from the tokenization system, non-cryptographic payment tokens that are not linked to the credit card number are not considered part of the organization’s PCI scope. Unlike encrypted credit card numbers and cryptographic tokens, which are still considered in-scope for PCI, these non-cryptographic tokens can be used in customer service, reporting, analytics and other internal systems without causing those applications to be subject to the strictures of the PCI Data Security Standard (PCI DSS).
Individual merchants and even the card networks themselves are increasingly using tokenization to simplify and limit their compliance obligations.
A copy of the full guidelines are available here.
Christopher Avery is a privacy and data security attorney in Davis Wright’s New York City office. He advises clients on U.S. and international privacy laws and regulations pertaining to consumer privacy, employee privacy, data security, and cybersecurity. Christopher regularly counsels companies on how to prepare for, respond to and recover from cybersecurity events.