PCI Security Standards Council Releases Tokenization Guidelines

WAKEFIELD, Mass. -- The PCI Security Standards Council (PCI SSC) has published the "PCI DSS Tokenization Guidelines Information Supplement" in an effort to provide greater clarity about how specific technologies relate to Payment Card Industry Data Security Standards (PCI DSS) and impact compliance.

The main topic discussed in the supplement is tokenization technology and how it replaces a Primary Account Number (PAN) with a surrogate value called a "token." According to the publication, a properly implemented tokenization solution can reduce or remove the need for a merchant to retain PANs once the initial transaction has been processed.

Since tokenization technology is so new, there are no industry standards yet regarding implementation. However, the supplement provides suggested guidelines for developing, evaluating, and implementing tokenization solutions in its report. More specifically, the report tells merchants how to outline explicit scoping elements for consideration; recommendations on scope reduction; details regarding best practices for selecting a tokenization solution; and defining domains or areas where specific controls need to be applied.

"We've continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts," said Bob Russo, general manager of the PCI Security Standards Council. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements."