PCI council encouraged to plan for data tokenisation, as Protegrity claim it is more effective than encryption

News by Dan Raywood

The PCI security standards council (PCI SSC) plans to include tokenisation in future versions of its guidelines.

The PCI security standards council (PCI SSC) plans to include tokenisation in future versions of its guidelines.

Following the most recent changes to the PCI DSS guidelines Ulf Mattsson, CTO of Protegrity, is offering guidance on how the tokenisation of cardholder data can reduce the size of the Cardholder Data Environment (CDE).

The council is looking to ‘mirror the tokenisation best practices document that Visa released in July' as it is a good framework for the industry to build on.

Speaking to SC Magazine this week, Mattsson said that the new guidelines and version 2.0 of PCI DSS do not mention guidance on tokenisation enough and in the PCI work group he is involved with, they are working on a document to present to the council which explains how tokens should be part of it and implemented. He said that a second validating document will then be prepared for compliance with PCI.

Mattson said: “The PCI DSS guidelines say that there are four ways to make numbers unreadable and one is data tokenisation. The industry is now calling it data tokenisation and the difference between encryption and tokenisation is that with encryption you have mathematical figures and a key, but with tokenisation it is random number and there is no algorithm associated so it cannot be broken.

“When you capture data the personal account number will be converted into a token into a tokenisation server. We see it being outsourced by smaller merchants but larger enterprises are keeping it in house. There is a greater interest in keeping data in-house as it is sensitive information.”

Asked if he expected changes to be made in the future to include areas such as tokenisation, Mattson said that he did not assume that the standard would be changed more frequently, as the SSC now has special interest groups who are offering validation documents that contain guidance on what is not found in version 2.0.

“So in the meantime we have different documents that will educate the qualified security assessors (QSA) and industry. One day I believe the information in the guidance documents will be part of PCI guidance, so we are speeding up the cycle with these documents.

“We are seeing organisations moving from encryption to tokenisation as it is more cost-effective and a secure approach and going forward, the best way is to minimise the data security risk."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews