Credit Card Tokenization: Put All Your Data Eggs in One Basket--and Watch That Basket
I was on a call recently with Gartner, Inc., analyst John Pescatore to learn about credit card tokenization. Pescatore, who specializes in Payment Card Industry Data Security Standard (PCI DSS), encryption related to PCI DSS, and overall security of Internet systems for Gartner, explained that tokenization can reduce a company's odds of a data breach as well as reduce the cost and complexity of PCI DSS compliance and auditing. A couple of other Penton Media editors, including System iNEWS technical editor Mel Beckman, were also on the call, and I present our questions and Pescatore's answers here for your edification. [Editor's note: nuBridges Inc., a software company that recently released a tokenization product, arranged our discussion with Pescatore but did not attend the call or have any control over what was discussed.]
Pescatore: The basic issue we've seen from enterprises is that the PCI mandate says that certain types of data have to be masked or encrypted. However, encryption does carry costs and complexity, plus the real issue is that what businesses really need to do is minimize the number of places where they store the credit card data--because in order to encrypt card data, you need encryption keys. If you're storing this data in more places than you need, the odds get higher that your keys will get compromised. So in the past couple of years, we've seen a lot of movement away from blind encrypting.
Here's an example: A lot of pretty big companies don't have credit card payment as a big part of their business, but they have the PCI security requirement even for the small amount of payment processing they do. And they thought encrypting and other PCI security requirements were too complicated, so they outsourced the payment processing so they'd never store the card data, just a token. These companies could get full access to the transaction data, but the outsourced payment processor sends it to them without the card data. This idea of tokenization and masking started with these outsourcers. nuBridges is one of the first to work tokenization into a key management product. Now enterprises who either can't or don't want to outsource payment processing can do it themselves with tokenization. However, outsourced payment processors do have to get certified as PCI compliant.
http://www.gokiosk.net/kiosk/tokenization-in-depth.pdf