Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

By Sue Zloth

Today, the PCI Council officially released the Tokenization Guidelines document.  As a member of the task force, I can tell you that we’ve been working on this guidance for the better part of two years, so we are happy to see that it has finally been released publicly.  The guidance provides much-needed direction on how to implement a tokenization solution and how it may reduce the scope of the cardholder data environment (CDE).

Already, there have been a lot of questions and conversation around this.  In fact, a lot of buzz has been circulating early this morning.  The first question is “Does Merchant Link meet these guidelines?”  We do.  The second question is, “Are tokens in- or out-of-scope?”

Specifically, the guidelines state that to be considered out-of-scope for PCI DSS, the tokens would need to have no value to an attacker attempting to retrieve personal account numbers (PANs).  In addition, the guidelines state that tokens that can be used for a transaction can be in scope for PCI DSS, even if the tokens can’t directly be used to retrieve PAN or other cardholder data.  For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions.  This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.

Here at Merchant Link, we developed our TransactionVaultTM tokenization solution to minimize the risk of cardholder data theft for our merchants.  We use multiple layers of authentication to confirm that the originator of a tokenization, de-tokenization or payment request is an authorized user.  For example, we won’t simply accept a transaction request from anyone. They need to authenticate themselves to us before we will perform their transaction request.

Additionally, our tokens can only be used to perform a transaction at the merchant that was the original recipient of the token.  If we receive a request to perform a transaction using that token from any other merchant, it won’t work.

But ultimately, what we urge for all of our merchants is a layered approach utilizing point-to-point encryption and tokenization together, providing the needed level of security to protect cardholder data and reduce the risk. The Council agrees and is pushing merchants to combine both technologies.

Powered By DT Author Box

Written by Merchant Link Staff

Merchant Link Staff

Merchant Link’s SecurityCents blog is essential reading for merchants in the retail, lodging, and restaurant industries looking to secure their customers’ credit card data. Check the blog regularly to read what our industry experts have to say about the latest developments in the world of payments, payment data security and technology, PCI compliance, and more. We invite you to leave comments and share your insights and opinions.


There are 2 comments for this post.

  1. Are PCI Special Interest Groups Effective? « SecureThinking on September 23, 2011 2:57 am

    [...] self-evident. The Tokenization SIG calling out high-value tokens and the fact that these will not reduce scope came as a surprise to quite a few organizations. The Virtualization SIG,  however, seemed to [...]

  2. Merchant Link SecurityCents :: Tokenization :: 3 Myths about Tokenization on May 29, 2012 11:37 am

    [...] merchants looking to reduce their PCI scope as much as possible, cloud-based or hosted tokenization is an attractive option. With a cloud-based [...]

Write a Comment