PCI SSC Issues Tokeninzation Guidelines

The Payment Card Industry Security Standards Council has issued guidelines for tokenization of credit card data in card-not-present transaction processing which confirm that a retailer can be "out of scope" if tokens are implemented properly.

To keep the merchant out of scope, the tokenization process must not be "reversed" for any reason, such as processing chargebacks or refunds, updating a credit card expiration date, or for marketing or analysis purposes, loyalty program management, and so on.

Data Tokenization Flowchart

The report summarizes characteristics of a tokenization system that meets PCI DSS requirements as follows:

1. The tokenization system does not provide PAN [Primary Account Number] in any response to any application, system, network, or user outside of the merchant’s defined CDE [Card Data Environment]. All tokenization components are located on secure internal networks that are isolated from any untrusted and out-of-scope networks.
3. Only trusted communications are permitted in and out of the tokenization system environment.
4. The tokenization solution enforces strong cryptography and security protocols to safeguard cardholder data when stored and during transmission over open, public networks.
5. The tokenization solution implements strong access controls and authentication measures in accordance with PCI DSS Requirements 7 and 8.
6. The tokenization system components are designed to strict configuration standards and are protected from vulnerabilities.
7. The tokenization solution supports a mechanism for secure deletion of cardholder data as required by a data-retention policy.
8. The tokenization solution implements logging, monitoring, and alerting as appropriate to identify any suspicious activity and initiate response procedures.

The document also details how to work with a TSP [Tokenization Service Provider].

The Council points out that "An important consideration when evaluating a tokenization solution is whether the token itself can be used in lieu of cardholder data to perform a transaction. Tokens that can be used as payment instruments (sometimes called "high-value tokens") could potentially be monetized or used to generate fraudulent transactions, and may therefore have the same value to an attacker as the data they are intended to replace. Tokenization solutions which support these types of tokens should have additional controls in place to detect and prevent attempted fraudulent activities. Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data; merchants should therefore consult with their acquirer and/or the Payment Brands directly to determine specific requirements for tokens that can be used as payment instruments."

Click here for the full report.