The guidance provides “greater clarity” into how the use of tokenization technologies affects compliance with the PCI Data Security Standards (PCI DSS). Tokenization replaces a customer’s card account number with a surrogate value called a token, which enables merchants to process the customer’s transactions without having to retain and store the account number.
The guidance offers advice to merchants on implementing tokenization by outlining explicit scoping elements for consideration; provides recommendations on scope reduction, the tokenization process, deployment, and operational factors; details best practices for selecting tokenization technology; and identifyies areas where specific security controls need to be applied and validated, particularly where tokenization could minimize the card data environment (CDE).
The Council said that the guidance also benefits tokenization service providers and assessors by informing them about how the technology can help merchants limit or eliminate system components that process, store, or transmit cardholder data, and reduce the scope of the CDE – and thus the scope of a PCI DSS assessment.
"These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements", said Bob Russo, general manager of the PCI Security Standards Council.
The tokenization guidance follows the council’s previously released technology supplements on virtualization, peer-to-peer encryption, and EMV smartcards. These guidance documents are created to assist merchants in understanding how these technologies may impact their CDE and scope of PCI DSS compliance efforts before they implement them in their organizations, the Council explained.