RSS Alerts

Share

More services

Related Stories

  • Visa to waive PCI DSS compliance validation for US merchants that deploy chip-enabled terminals
    Effective Oct. 1, 2012, Visa is eliminating the requirement for US merchants to annually validate their compliance with the PCI Data Security Standard (PCI DSS) if 75% of the merchant’s annual Visa transactions originate from chip-enabled terminals.
  • PCI should change its QSA training and certification, says Dell SecureWorks
    The PCI Security Standards Council should change the way it trains and certifies qualified security assessors (QSAs) who verify compliance with its Data Security Standard (PCI DSS) in order to focus on more practical skills and industry-specific knowledge, according to Alan Coburn, director of security and risk consulting at Dell SecureWorks.
  • E-commerce merchants tighten credit card data security to protect brand
    Nearly 70% of e-commerce merchants said they have tightened credit card data security in order to protect their brand, not to avoid fines for non-compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to a survey by Visa’s CyberSource unit and Trustwave.
  • Companies should go beyond PCI DSS compliance, says Layer 7
    Companies need to go beyond compliance with Payment Card Industry Data Security Standards (PCI DSS) to ensure credit card safety, according to Phil Walston, vice president of development and product management at Layer 7 Technologies.
  • PCI DSS broadens appeal beyond credit card data security
    The PCI Data Security Standard (DSS), originally developed to protect credit card data, can be used to vet cloud providers for data security practices, as well as provide a template for compliance with information security laws, noted Sean Bruton, senior director of client services and security with managed hosting services provider NeoSpire.

Top 5 Stories

News

PCI council offers merchants guidance on secure tokenization

12 August 2011

The PCI Security Standards Council released today its security guidance for the use of tokenization to process payment card transactions.

The guidance provides “greater clarity” into how the use of tokenization technologies affects compliance with the PCI Data Security Standards (PCI DSS). Tokenization replaces a customer’s card account number with a surrogate value called a token, which enables merchants to process the customer’s transactions without having to retain and store the account number.

The guidance offers advice to merchants on implementing tokenization by outlining explicit scoping elements for consideration; provides recommendations on scope reduction, the tokenization process, deployment, and operational factors; details best practices for selecting tokenization technology; and identifyies areas where specific security controls need to be applied and validated, particularly where tokenization could minimize the card data environment (CDE).

The Council said that the guidance also benefits tokenization service providers and assessors by informing them about how the technology can help merchants limit or eliminate system components that process, store, or transmit cardholder data, and reduce the scope of the CDE – and thus the scope of a PCI DSS assessment.

"These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements", said Bob Russo, general manager of the PCI Security Standards Council.

The tokenization guidance follows the council’s previously released technology supplements on virtualization, peer-to-peer encryption, and EMV smartcards. These guidance documents are created to assist merchants in understanding how these technologies may impact their CDE and scope of PCI DSS compliance efforts before they implement them in their organizations, the Council explained.

This article is featured in:
Compliance and Policy  • Data Loss  • Encryption • Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012