Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Can Tokens Be Out of Scope? PCI Council Releases Guidance

August 12, 2011 | 1comment | PCI Compliance, Tokenization

Written by: admin

By Sue Zloth

Today, the PCI Council officially released the Tokenization Guidelines document.  As a member of the task force, I can tell you that we’ve been working on this guidance for the better part of two years, so we are happy to see that it has finally been released publicly.  The guidance provides much-needed direction on how to implement a tokenization solution and how it may reduce the scope of the cardholder data environment (CDE).

Already, there have been a lot of questions and conversation around this.  In fact, a lot of buzz has been circulating early this morning.  The first question is “Does Merchant Link meet these guidelines?”  We do.  The second question is, “Are tokens in- or out-of-scope?”

Specifically, the guidelines state that to be considered out-of-scope for PCI DSS, the tokens would need to have no value to an attacker attempting to retrieve personal account numbers (PANs).  In addition, the guidelines state that tokens that can be used for a transaction can be in scope for PCI DSS, even if the tokens can’t directly be used to retrieve PAN or other cardholder data.  For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions.  This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.

Here at Merchant Link, we developed our TransactionVaultTM tokenization solution to minimize the risk of cardholder data theft for our merchants.  We use multiple layers of authentication to confirm that the originator of a tokenization, de-tokenization or payment request is an authorized user.  For example, we won’t simply accept a transaction request from anyone. They need to authenticate themselves to us before we will perform their transaction request.

Additionally, our tokens can only be used to perform a transaction at the merchant that was the original recipient of the token.  If we receive a request to perform a transaction using that token from any other merchant, it won’t work.

But ultimately, what we urge for all of our merchants is a layered approach utilizing point-to-point encryption and tokenization together, providing the needed level of security to protect cardholder data and reduce the risk. The Council agrees and is pushing merchants to combine both technologies.

Related content:

  1. PCI Council releases tokenization guidance
  2. Myth – PCI compliance is a monstrous effort
  3. PCI Community Meetings and Guidance
  4. Merchant Link Integrates TransactionVault™ Tokenization Solution into SpaSoft Solution for Spas and Resorts Nationwide
  5. PCI Council Releases Guidance on Encryption for PCI DSS and Scope Reduction
Better Related Posts Plugin

Tagged as: , , , , , , ,

Comments

There is one comment for this post.

  1. Are PCI Special Interest Groups Effective? « SecureThinking on September 23, 2011 2:57 am

    [...] self-evident. The Tokenization SIG calling out high-value tokens and the fact that these will not reduce scope came as a surprise to quite a few organizations. The Virtualization SIG,  however, seemed to [...]

Write a Comment