StorefrontBacktalk

This is page 2 of:

PCI Council’s High-Value Token Definition Disappointing

August 17th, 2011

The good news in the guidelines is that merchants who use tokenization to remove their post-purchase and other back-office systems from PCI scope should be in good shape.

To be more precise, here is what the guidelines actually say: “System components that are adequately segmented [isolated] from the tokenization system and the CDE [cardholder data environment]; and that store, process or transmit only tokens; and that do not store, process or transmit any cardholder data or sensitive authentication data, may be considered outside of the CDE and possibly out of scope for PCI DSS.”

Unfortunately, there is disappointing news for retailers and E-Commerce merchants who use tokens to generate transactions. They need to dig into the details of their tokenization systems, and it seems they may also need to consider their high-value tokens to be in scope for PCI.

From a big-picture perspective, the guidelines confirm that in certain conditions (and the Council detailed seven of them) replacing PAN data with tokens may remove that data from your PCI scope. That was the good news.

There also was some not-so-good news for some retailers. Notice I said “may remove” and not something more definite. I used that term intentionally, because the guidelines also indicate that to minimize PCI scope you need to know how you will use the tokens, not just how you generated them. In other words, not all tokens are created equal. The bottom line is that some tokens will still be in scope for PCI.

The Tokenization Task Force included representatives from merchants, vendors and QSAs. A lot of people put in a lot of time, effort and energy into drafting these guidelines. The PCI Council then reviewed the recommendations, ultimately releasing the final document, which concludes: “The level of PCI DSS scope reduction offered by a tokenization solution will also need to be carefully evaluated for each implementation.”

No one should expect a simple answer to a complex issue like tokenization. Therefore, the first thing we need to keep in mind is that when the PCI Council releases “guidelines,” that is exactly what they are: guidelines. It did not release pre-baked, ready-to-serve one-size-fits-all answers that apply in all cases. The Council cannot—and should not be expected to—do that because technologies, security and implementations will vary from merchant to merchant. Therefore, in my opinion, it is not reasonable to expect anything more than guidelines, which is all the Council promised in the first place.

We have been waiting for more than a year for the report from the Tokenization Task Force and the PCI Council, and now we have it. Love it or hate it, the guidelines are what we all have to work with. My guess is that some tokenization RFPs—along with any number of vendor sell sheets—will be re-written this week.

What do you think? Have you implemented tokenization? Do you have, or do you expect to have, high-value tokens? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.

Posted in E-Commerce, In-Store, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud, Software

Comments are closed.

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Kindle Convenience - StorefrontBacktalk is now available natively on the Kindle so you can read us on the place without a connection.

Read StorefrontBacktalk's Retailing Column every month at Retail-Week.com. Please click here for an archive of those columns.

Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns.