A Paradigm Shift in Protecting Cardholder Data?

by Brad Davenport on 7/7/2009

Lately, many customers have asked about their options for meeting PCI’s data protection requirements.  While encryption and key management are the most widely adopted technologies – and continue to be the preferred solution for most - I’ve seen a major increase in the number of organization interested in using a token (or alias) as a substitute for storing real credit card numbers in their environment.

For those not familiar with tokenization  the basic process is relatively simple:
After a credit card is used in a transaction is authorized, the cardholder data is sent to a centralized and highly secure server.  Immediately after, the server uses an algorithm to generate a random number (the token) in such a way that it cannot be linked back to the original data.  The token is then returned to the organization’s business systems.  It goes without saying that great care must be taken to secure the server’s cross reference table which allows authorized look-up of the original value, using the token as the index.

From a PCI DSS compliance perspective, tokenization has powerful implications for merchants, banks and service providers. One of the biggest challenges organizations face is reducing the size of their cardholder data environment and isolating it from the larger corporate network. Effectively meeting this challenge results in fewer controls, processes and procedures and significantly streamlines the annual assessment process. By ensuring that business applications, systems and infrastructure are processing randomly generated numbers instead of regulated cardholder information, organization can drastically reduce the controls, processes and procedures needed to comply with the PCI DSS.