Compliance: New PCI-SSC Standards on tokenisation
- The PCI-SSC has issued a new set of guidelines regarding the implementation of secure data tokenization measures.
- Merchants must comply with several requirements now listed in this dedicated publication: PCI-DSS Tokenization Guidelines. In this way, they dispose of a reference guide focusing on the deployment of these technologies in order to prevent storage and transportation of PANs on the Information Systems.
- According to the standardisation Council, the use of tokens can limit card data storage and reduce PCI-DSS compliance efforts. It specifies that large scale organisations/institutions, in charge of larger, more complex, payment systems should not witness a dramatic reduction in their PCI-DSS assessment scope (or in their IROC). Also, on-premise systems are less likely to have their assessment scope reduced than hybrid or outsourced systems. Eventually, taking these new guidelines into account does not mean negating the need for PCI DSS compliance and, if retrieved, the tokens (just like any other data) must be impossible to use.
- This new document reflects the best practices listed by Visa in its July 2010 guidelines.
See July 2010 Payments Insight
- These principles come in addition to PCI-DSS measures: they are not meant to replace them. Until recently, the variety of technologies used to encrypt the tokens made it hard to discriminate which needs were actually addressed.
- In July 2010, Visa’s guidelines insisted on a necessary limitation of unencrypted, vulnerable, data. This document followed October 2009 publication of a guide dedicated to card data encryption (Visa Best Practices for Data Field Encryption).
- Four components deemed necessary for proper tokenisation stand at the heart of these issues: token generation, token mapping, secure card data vault storage and cryptographic key management.
- The very same guidelines also reminds the reader that no cardholder authentication (content of the magnetic stripe, CVx2, PIN, etc.) must be stored once the authorization received.