Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is of key relevance for companies that store, process, or transmit credit card data. The standard constitutes the basis for the protection of sensitive payment data and simultaneously strengthens the trust of customers and business partners.
As an accredited assessor, we are noticing a growing interest in tokenization in this area in particular. Tokenization involves replacing the primary account number (PAN) with a non-sensitive substitute value, known as a token. Since tokens are not considered credit card data in many cases, they can be an effective tool for reducing the audit effort, costs, and complexity of complying with PCI DSS requirements.
In this article, we will show you the advantages this method offers your company, the challenges to be aware of, and the strategic considerations for successful implementation.
Who needs to consider tokenization?
Whether you are a merchant, payment service provider, acquirer, service provider, or auditor, there is no getting around the term tokenization in the payment security industry at the moment. A tokenization solution can be an option for almost all companies where storing credit card data is not a core part of their business model:
- Online or omnichannel merchants
- SaaS/IaaS service providers with payment functionality
- Marketplace operators and payment facilitators
- Manufacturers of POS systems or ordering apps
The rest of this article refers to merchants as an example, but it applies to all companies for which storing card data is not part of their core business and for which a tokenization solution may therefore be a suitable option.
What is a tokenization solution?
Depending on the business model and cost factors, tokenization can be implemented differently in companies:
- An on-premise or in-house solution that a merchant manages within its IT infrastructure
- An outsourced solution for which a merchant delegates management to a tokenization service provider outside of the merchant’s infrastructure and control
- A hybrid solution that combines some on-premise components with some outsourced components
The following figure illustrates an example of how responsibilities may differ between merchant and TSP, depending on how the solution is deployed.
Our experienced experts in PCI & Payment Security have observed in their customer projects that outsourcing to a tokenization service provider or tokenization solution provider is currently the most favored solution. When outsourcing, responsibility for PCI DSS compliance can be partially transferred from the merchant to the TSP. This applies in particular to those components of the tokenization system that are operated by the service provider and are outside the merchant's sphere of influence. The tokenization process is as follows:
What precisely are tokens, and how does tokenization process in detail?
As briefly mentioned above, tokenization involves replacing the primary account number (PAN) with a substitute value, known as a token. Detokenization is the reverse process, whereby a token is exchanged for its corresponding PAN value. The security of an individual token is based primarily on the fact that it is virtually impossible to deduce the original PAN from the substitute value (the token).
How does tokenization affect your PCI DSS scope?
According to Requirement 3.5 of PCI DSS v4.0.1, tokenization may be used to render the PAN unreadable by replacing it with a token. Since tokens themselves do not fall within the scope of PCI DSS, tokenization can be used to significantly reduce the scope of certification.
The following rules apply to the use of tokenization in the context of PCI DSS:
- A tokenization solution does not exempt you from the obligation to maintain and demonstrate PCI DSS compliance. However, it can reduce the validation effort because fewer system components are subject to PCI DSS requirements.
- The effectiveness of tokenization must be verified. This includes, in particular, proving that PANs can no longer be reconstructed from any system components removed from the PCI DSS scope.
Our experts have already successfully supported several companies in implementing an outsourced tokenization solution, always with the focus on PCI DSS compliance. The following figure from a customer project illustrates how the number of relevant audit sessions changed before and after the implementation of the tokenization solution for this particular customer:
If the tokenization solution is outsourced, which requirements remain within your scope?
Even after the successful implementation of an outsourced tokenization solution, responsibility for certain activities to maintain PCI DSS compliance remains with the merchant.
The security of this outsourcing process depends on the correct implementation of the tokenization solution in the technical environment of the merchant or service provider. PCI compliance must therefore be established for continuing requirements that secure this interface.
Looking ahead, PCI compliance tasks will be shared between the merchant and the chosen tokenization service provider. While certain responsibilities remain with the merchant, the PCI DSS scope has been significantly reduced: some of the compliance requirements are now the responsibility of the TSP.
Important: Understand the risks of a tokenization solution
Tokenization is an evolving technology, and as with many evolving technologies, there are currently no industry standards for implementing secure tokenization solutions. If your company decides to use tokenization, each solution should be carefully evaluated prior to implementation to fully understand the potential impact on your CDE. This is because once you outsource the tokenization solution, you are not only transferring responsibility for the data to the tokenization solution provider, but also the security risk of protecting that data. We therefore recommend that you conduct an audit when selecting a TSP. One quality feature, for example, is a recent PCI DSS certification.
Is tokenization also a relevant topic for you? Or do you need help preparing for or implementing PCI DSS in your company? Contact us, we are happy to support you.
