Tokenization: It’s Not Just For Payment Anymore
Written by David TaylorGuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.
As more and more merchants try to lower their breach risk by reducing the amount of credit card data they collect and retain, the topic of tokenization comes up often. Although the term is most commonly used to refer to the replacement of credit card numbers by meaningless numbers that have no black market value, a few leading merchants and service providers are applying the process and the technology to all confidential data. I believe this is the beginning of an enterprise tokenization strategy, and I see several important ways that both the technology and the associated business processes can benefit organizations adopting this strategy.
Most of the merchants who first consider tokenization tend to focus on the retail POS. They implement a payment-specific approach that captures card data at the point of swipe and substitutes a randomly generated number (usually also 16 digits) that can be processed by downstream applications with relatively limited reprogramming. This is an excellent start. But merchants who also gather card data via Web commerce, call centers and other channels should ensure that whatever product or service they use can also tokenize data through all of their channels. Not all offerings in the market work well or cost-effectively in a multi-channel environment. As such, merchants need to ensure that their RFPs and requirements reflect their current and near-future channel needs.
The payment application data security standards (PA-DSS) are actually tougher in some respects than PCI DSS. As a result, some ERP vendors and users of packaged enterprise applications are considering tokenization as a strategy to modularize and centralize all payment processing by these applications. It’s either that or partner with payment processing specialists (which provide payment processing functionality) to remove the overall ERP software from PCI scope.
Beyond the obvious step of ensuring they buy products and services that are PA-DSS and/or PCI DSS compliant, it is important for merchants and enterprise application vendors to build tokenization functionality into their applications. But beyond payment tokenization, the best practice is to ensure that all confidential data (as defined by U.S. state, national and international privacy laws) can be tokenized. This ability minimizes the number of instances of regulated, confidential data within enterprise applications to the point of restricting the ability of individuals to create and distribute copies of confidential data.
Although clearly a long-term objective, it is important for software builders and buyers to focus upfront on limiting the number of instances of confidential data. Such basic functionality can greatly reduce the business risk and potential for fraudulent transactions.
Some merchants and service providers have refused to consider tokenization because it is not specifically mentioned in the PCI standards, unlike dozens of other security technologies. As such, they plan to wait until tokenization is addressed before taking action. For those merchants who are implementing tokenization specifically for PCI, they often cite PCI DSS 3.1, which says to keep cardholder data storage to a minimum. These merchants argue that tokenization reduces the number of instances of card data through the centralization and elimination of all but one instance of card data.
Our experience with IT strategy over the years has made it clear that there is never a mandate for strategy. Standards virtually never tell a merchant whether to take a long-term or short-term view of a problem, and they are not designed to be updated every time a new technology comes on the market. As a process, tokenization is less about innovative technology and more about understanding how to design systems and processes that minimize the risk of retaining data elements with intrinsic (or market) value.
From an application perspective, tokenization functions much like network segmentation–by reducing PCI scope. But beyond PCI, an enterprise tokenization strategy also reduces the overall risk to the enterprise that results from the ability of many persons to have access to confidential data, often beyond what can be justified by business needs. Tokenization, applied strategically to enterprise applications, can reduce ongoing confidential data management costs as well as the risk of a security breach and the scope of a PCI assessment.
We will be conducting a Webinar on Enterprise Tokenization Strategies on February 26, and we encourage anyone who has an interest in this topic to register using the link found on the homepage of the
PCI Knowledge Base. If you have questions about this or any other topic related to PCI, compliance and security, just send me an E-mail at David.Taylor@KnowPCI.com.
-Marc
August 27th, 2009 at 1:02 pm
While hardware tokens provide a viable alternative to credit cards and other authentication methods as the article points out, end users are pushing back on usage not only because the PCI standards do not require it, but also as it stands current implementation makes it quite impractical. Our experience shows users accumulate number of hardware tokens required for transaction based banking applications. And each token requires secure storage, maintenance and regular password upkeep. It becomes cumbersome to have ten tokens for instance and remember operational instructions and static passwords of each one of them. The industry needs to converge to a standard for tokes that will make a single hardware device usable for multiple products’ access. Otherwise users will still have tokens in an unlocked drawer and together with a printed instruction sheet: a combination that defeats the original purpose.