The PCI Security Standards Council (PCI SSC) has released guidance on tokenisation and how it may make compliance easier.
The PCI DSS Tokenisation Guidelines Information Supplement explains how tokenisation technology replaces a primary account number (PAN) with a surrogate value, also called a token. Specific to PCI DSS, this involves substituting sensitive PAN values with non-sensitive token values.
The SSC claimed that as with many evolving technologies, there is currently a lack of industry standards for implementing secure tokenisation solutions in a payment environment. It said that this initial guidance provides stakeholders with suggested guidelines for developing, evaluating or implementing a tokenisation solution, including insight on how a tokenisation solution may impact the scope of PCI DSS compliance efforts.
Bob Russo, general manager of the PCI SSC, said: “We've continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS efforts. These specific guidelines provide a starting point for merchants when considering tokenisation implementations. The council will continue to evaluate tokenisation and other technologies to determine the need for further guidance and/or requirements.”
Asked if he felt that it was about time that the PCI council recognised tokenisation as a viable solution to holding sensitive data, Dan Konisky, director of product management at nuBridges, said that despite moves to recognise tokenisation as a top four technology to simplify compliance, the need for guidance and standards have been lacking.
“Given the fact that merchants have been successfully using tokenisation systems for a number of years to comply with PCI DSS, the release of the guidance helps to clarify the impact tokenisation can have on merchants,” he said.
“This does go some way to addressing that lack of standards as within the guidelines. The council has described a range of tokenisation methodologies and models of deployment and their potential impact on PCI scope and compliance. For example, the guidelines make clear distinctions between tokens that are randomly generated against tokens that are mathematically derived from the original PAN through the use of encryption or hashing algorithms.
“They go on to say that mathematically derived tokens may be subject to greater PCI DSS considerations. While the guidelines do not offer specific validation criteria, this is the type of guidance that the community has been seeking.”
Konisky said that the document 'is an important stepping stone' and he hoped that additional guidance will include validation criteria for PCI auditors.