Wednesday, March 28, 2012
Lane said the problem with the PCI SSC's tokenization guidelines is that "the supplement is sorely lacking in actual guidance." He faults the supplement for not providing actionable advice on how to maximize Payment Card Industry (PCI) Data Security Standard (DSS) scope reduction using tokenization.
The concept of PCI scope reduction means how businesses can set up networks and implement data security solutions that decrease the amount of energy and resources they must spend on fulfilling security compliance responsibilities mandated by the PCI SSC.
According to Lane, Securosis research shows tokenization offers better security, lower risk for merchant fraud and, potentially, significant compliance cost reduction. When properly installed, tokenization should eliminate as much as 50 percent of merchants' PCI DSS compliance costs, he said.
In the webinar, sponsored by Liaison Technologies Inc. and entitled What the PCI Task Force Didn't Say, Lane listed "significant gaps" in the PCI SSC's tokenization guidelines, including a failure to:
Lane said encryption alone may not be enough to keep a POS system out of PCI scope if the data encryption system also includes the key for the decryption of data. "That's where you run into trouble," he said, because the decryption key brings the system back into PCI scope. However, tokenization offers less of a need for data to be detokenized, which therefore lessens businesses' exposure to PCI scope, he said.
Securosis advises against using "some technologies and deployment models that, frankly, should not have been lumped into the supplement, because they don't simplify and reduce risks in the way any merchant should be looking for," Lane added.
Lane admitted that Securosis' opinion on the PCI SSC's tokenization supplement will anger "many interested stakeholders." But he considers this result unavoidable.
"Our guidance is geared toward making the lives of merchants who buy tokenization solutions easier, rather than avoiding conflict with vendor products or PCI Council politics," Lane stated in a December 2011 white paper titled Tokenization Guidance: How to Reduce PCI Compliance Costs. "No technology vendor or payment provider ever endorses guidance that puts their product or service in a bad light, so not everyone will agree with our technology recommendations."
Lane believes merchants can use tokenization to reduce the PCI audit scope, but he found nothing in the PCI SSC's tokenization guidelines to support this. He pointed out that, according to said guidelines, "PCI DSS scope can never be reduced with tokenization," and that, rather than define what is out of scope, the PCI tokenization supplement "outlines many objectives to be met, apparently without regard for where the credit card vault resides or the types of tokens used."
The Tokenization Guidance: How to Reduce PCI Compliance Costs white paper can be accessed at www.liaison.com/docs/whitepapers/liaison---tokenization-guidance-whitepaper.pdf . 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
