Tokenization: It’s Not Just For Payment Anymore

Written by David Taylor
February 19th, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

As more and more merchants try to lower their breach risk by reducing the amount of credit card data they collect and retain, the topic of tokenization comes up often. Although the term is most commonly used to refer to the replacement of credit card numbers by meaningless numbers that have no black market value, a few leading merchants and service providers are applying the process and the technology to all confidential data. I believe this is the beginning of an enterprise tokenization strategy, and I see several important ways that both the technology and the associated business processes can benefit organizations adopting this strategy.

  • Multi-Channel Approach
    Most of the merchants who first consider tokenization tend to focus on the retail POS. They implement a payment-specific approach that captures card data at the point of swipe and substitutes a randomly generated number (usually also 16 digits) that can be processed by downstream applications with relatively limited reprogramming. This is an excellent start. But merchants who also gather card data via Web commerce, call centers and other channels should ensure that whatever product or service they use can also tokenize data through all of their channels. Not all offerings in the market work well or cost-effectively in a multi-channel environment. As such, merchants need to ensure that their RFPs and requirements reflect their current and near-future channel needs.

  • Enterprise Application Security
    The payment application data security standards (PA-DSS) are actually tougher in some respects than PCI DSS. As a result, some ERP vendors and users of packaged enterprise applications are considering tokenization as a strategy to modularize and centralize all payment processing by these applications. It’s either that or partner with payment processing specialists (which provide payment processing functionality) to remove the overall ERP software from PCI scope.

    Beyond the obvious step of ensuring they buy products and services that are PA-DSS and/or PCI DSS compliant, it is important for merchants and enterprise application vendors to build tokenization functionality into their applications. But beyond payment tokenization, the best practice is to ensure that all confidential data (as defined by U.S. state, national and international privacy laws) can be tokenized. This ability minimizes the number of instances of regulated, confidential data within enterprise applications to the point of restricting the ability of individuals to create and distribute copies of confidential data.

    Although clearly a long-term objective, it is important for software builders and buyers to focus upfront on limiting the number of instances of confidential data. Such basic functionality can greatly reduce the business risk and potential for fraudulent transactions.

  • No Mandate For Strategy
    Some merchants and service providers have refused to consider tokenization because it is not specifically mentioned in the PCI standards, unlike dozens of other security technologies. As such, they plan to wait until tokenization is addressed before taking action. For those merchants who are implementing tokenization specifically for PCI, they often cite PCI DSS 3.1, which says to keep cardholder data storage to a minimum. These merchants argue that tokenization reduces the number of instances of card data through the centralization and elimination of all but one instance of card data.

    Our experience with IT strategy over the years has made it clear that there is never a mandate for strategy. Standards virtually never tell a merchant whether to take a long-term or short-term view of a problem, and they are not designed to be updated every time a new technology comes on the market. As a process, tokenization is less about innovative technology and more about understanding how to design systems and processes that minimize the risk of retaining data elements with intrinsic (or market) value.

    From an application perspective, tokenization functions much like network segmentation–by reducing PCI scope. But beyond PCI, an enterprise tokenization strategy also reduces the overall risk to the enterprise that results from the ability of many persons to have access to confidential data, often beyond what can be justified by business needs. Tokenization, applied strategically to enterprise applications, can reduce ongoing confidential data management costs as well as the risk of a security breach and the scope of a PCI assessment.

  • The Bottom Line
    We will be conducting a Webinar on Enterprise Tokenization Strategies on February 26, and we encourage anyone who has an interest in this topic to register using the link found on the homepage of the
    PCI Knowledge Base. If you have questions about this or any other topic related to PCI, compliance and security, just send me an E-mail at

  • advertisement

    One Comment | Read Tokenization: It’s Not Just For Payment Anymore

    1. Kiril Alexiev Says:

      While hardware tokens provide a viable alternative to credit cards and other authentication methods as the article points out, end users are pushing back on usage not only because the PCI standards do not require it, but also as it stands current implementation makes it quite impractical. Our experience shows users accumulate number of hardware tokens required for transaction based banking applications. And each token requires secure storage, maintenance and regular password upkeep. It becomes cumbersome to have ten tokens for instance and remember operational instructions and static passwords of each one of them. The industry needs to converge to a standard for tokes that will make a single hardware device usable for multiple products’ access. Otherwise users will still have tokens in an unlocked drawer and together with a printed instruction sheet: a combination that defeats the original purpose.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.