PCI Council issues tokenization guidance

The Payment Card Industry Council has warned merchants against assuming that 'tokenization' technology alone would ensure their compliance with the council's data security standard (PCI DSS).

The industry group released a 23-page document aimed at helping merchants evaluate how tokenization products align with PCI DSS.

Tokenization replaces primary account numbers (PANs) -- the 16-digit numbers found on the front of debit and credit cards -- with a token value.

It could reduce an attacker's ability to steal credit card information stored in databases, since stolen token information is useless on its own.

The council said mature, properly deployed tokenization solutions could simplify PCI DSS requirements, since they removed systems that no longer contain sensitive credit card numbers from its scope.

But the technology did not eliminate a merchant's need to validate compliance, the group warned.

“The misconception is that I can buy one of these [tokenization solutions] and be PCI compliant,” Bob Russo, general manager of the PCI Security Standards Council. “That's not the case.

“For a token to be considered out of scope, it has to be unusable if it, or any system it resides on, is compromised. That's the bottom line.”

The Payment Card Industry Council's document did not impose any new requirements, but stated that merchants were ultimately responsible for validating the effectiveness of any tokenization implementation.

Before implementation, organizations should ensure the technology did not provide PAN values in response to any application, system, network or user outside of the merchant's cardholder data systems, the document stated.

In addition, all components of a tokenization solution should be located on secure internal networks and isolated from any untrusted network.

As best practice, PANs should not be stored in the same place as tokens, Russo said.

To meet PCI DSS requirements, a solution should enforce cryptography, access controls, logging, monitoring and alerting, as well as allow for the secure deletion of cardholder data.

“If it's layering security on, that's good,” Russo said. “If it's lulling you into a false sense of security, that's not good. You need to do the homework.”

Document a 'good first step'

Many qualified security assessors (QSAs) who validate merchants' compliance with the standard already accept tokenization as a compensating control to address PCI DSS requirements, Adrian Lane, security analyst and CTO at advisory Securosis said.

Tokenization was a “superior strategy” for securing credit card information and reducing PCI obligations, he added. Large merchants, for example, often housed credit card numbers on multiple systems, he said.

By using tokenization, organizations could replace sensitive credit card numbers with a token that could not be used for fraud, and the system housing the token need only undergo “minor” security screening.

“While it's not a surprise that PCI is embracing [tokenization], we are still a little surprised at how long it took them to do so,” he said.

Lane said he wished the PCI Council's document more clearly specified that the use of so-called format-preserving encryption and hashed-based tokens are not a suitable alternative to tokenization.

Such solutions did not remove a credit card number, but encrypted it, he explained. Other tokenization solutions replaced credit card numbers with random values, so there was no way it can be cracked.

Meanwhile, Sue Zloth, product group manager at payment data security provider Merchant Link, a member of the PCI Council's tokenization task force, said she believed the document was a good first step, though it may lead to some confusion and deter adoption.

Zloth took issue with a section that discussed the need to evaluate whether a token itself could be used – in lieu of cardholder data – to perform a transaction.

The document stated that so-called “high-value tokens,” which can be used as a form of payment, could be monetized by an attacker or used to generate fraudulent transactions.

The council introduced a valid concern –  that certain tokens could be valuable to attackers -- but "fell down" by failing to describe how a tokenization system could adequately protect tokens from being fraudulently used, Zloth said.

“A properly implemented system will know who is sending transactions and will not allow anyone to send transactions with a token,” she added.

Visa, in June, issued a four-page document offering best practices for deploying the technology.

Meanwhile, the PCI Council also previously released guidance papers on virtualization, point-to-point encryption and EMV, a global standard for authenticating credit and debit card payments.

This article originally appeared at scmagazineus.com