This is page 2 of:
In The Security Vs. Compliance Battle Of The Mind, Security Is Winning
To me, the most important part of Jeff’s comment (and the one by Steve Sommers) is reinforcing the criticality of security for the tokenization engine and token vault. We both agree that this is the case whether the tokenization is managed internally or outsourced to a specialty tokenization vendor. I believe that PCI provides a good structure for how implementation can be done to be both compliant and secure, even if explicit details are not, as Jeff pointed out, contained in the PCI Council’s guidance document.
Mark Bower raised the issue of maintaining—and continually proving—the security of the tokenization solution over its lifetime as networks, systems and people change. I know Mark as an encryption and security expert, and I respect him a great deal. His point, like the others, focuses on the need for security and not just scope reduction.
My response starts with the fact that the changeable nature of systems and environments is why every merchant revalidates PCI compliance each year, and part of that revalidation (or re-assessment) includes taking a look at all policies and the risk assessment. More to Mark’s point, though, is the fact that although validation is once a year, actual compliance is what the merchant has to do every single day. If a merchant does not have the policies, procedures and internal culture to be compliant at all times, perhaps neither tokenization nor encryption is a good solution. Those organizations might be better served by not storing any cardholder data.
Lastly, I’d like to note the comments dealing with what the PCI Council terms “high-value tokens” and the confusion from that distinction. One commenter (who was on the Tokenization Special Interest Group) observed that a compromised high-value token could lead to fraud even though the PAN was never exposed, thereby implying that PCI is not designed to prevent fraudulent activity.
I have to take issue with that conclusion. My evidence is the high-value token designation itself. The fact that the Council’s guidance all but decrees these tokens to be in scope tells me that PCI is definitely concerned with fraud even if PANs are not compromised. Nevertheless, having direct input from somebody who was on the SIG is extremely valuable.
Clearly, tokenization will continue to generate a great deal of interest and discussion. What benefits everyone—retailers and vendors alike—is emphasizing not just compliance and scope reduction but security. If a solution is secure, then compliance will follow whether you choose encryption or tokenization. On that I think we all can agree.
What do you think? Do you have other comments you would like to add? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
February 1st, 2012 at 9:24 pm
Nice update post Walt, and thanks for the kind words :) I agree with pretty much all of what you have to say, and I think the implementation point is exactly why PCI is currently beavering away on the Point to Point Encryption (P2PE) program.
One of the major goals of this program is to place the burden of implementation back to the hands of the vendor(s), so that the merchant can rest assured that as long as they use the system provided for payments, everything else is taken care of.
I think that this has the potential to provide a terrific win for the merchants in scope for these sorts of systems, and also to the security posture of payments as a whole – exactly because it should ensure that people who know what they are doing are the only ones involved in the details.