Payment Card Industry Council Releases Guidance on Protecting Card Information through Tokenization

The Payment Card Industry (PCI) Council issued new guidelines on tokenization.  Tokenization is a process that conceals the financial account number from a merchant by replacing it with a surrogate number referred to as a “token.”   The token is then matched with the financial account number that remains protected in a secure vault.  The PCI’s tokenization guidelines supplement the PCI Data Security Standard (PCI DSS).  The guidelines are available here. The guidelines are significant as the first attempt at articulating an industry standard on implementing a secure tokenization process.  For instance, in a secure tokenization system, a hacker cannot re-engineer the financial account number using only the token. The guidelines are also the first to analyze of how tokenization can narrow the scope of PCI DSS requirements.  The guidelines offer practical advice on how to structure a secure tokenization process that prevents merchants from keeping financial account numbers after the initial transaction.  Reducing the amount of cardholder data that merchants hold and the number of system components where merchants store that data can potentially narrow the data and components subject to PCI DSS requirements and assessments.   The guidelines also assign responsibility for creating and maintaining a tokenization process between merchants and tokenization service providers and may help companies choose a tokenization service provider.