A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

April 09, 2012 • Issue 12:04:01

Consultancy faults PCI tokenization guidance

According to a webinar conducted by research firm Securosis LLC, the PCI Security Standards Council's (PCI SSC's) tokenization guidelines lack exactly that - guidance. In the webinar, Adrian Lane, Senior Security Strategist at Securosis, criticized the council's supplement as offering broad generalizations rather than practical advice on how to implement tokenization as a data security solution.

Lane said the problem with the PCI SSC's tokenization guidelines is that "the supplement is sorely lacking in actual guidance." He faults the supplement for not providing actionable advice on how to maximize Payment Card Industry (PCI) Data Security Standard (DSS) scope reduction using tokenization. The concept of PCI scope reduction means how businesses can set up networks and implement data security solutions that decrease the amount of energy and resources they must spend on fulfilling security compliance responsibilities mandated by the PCI SSC.

According to Lane, Securosis research shows tokenization offers better security, lower risk for merchant fraud and, potentially, significant compliance cost reduction. When properly installed, tokenization should eliminate as much as 50 percent of merchants' PCI DSS compliance costs, he said.

Taking issue with the PCI SSC

In the webinar, sponsored by Liaison Technologies Inc. and entitled What the PCI Task Force Didn't Say, Lane listed "significant gaps" in the PCI SSC's tokenization guidelines, including a failure to:

  • Define how tokenization simplifies compliance
  • Discuss the potential for improved security through tokenization
  • Demonstrate how tokenization reduces PCI scope
  • Provide a method for reducing PCI scope
  • Set forth tokenization testing procedures for merchants

Lane said encryption alone may not be enough to keep a POS system out of PCI scope if the data encryption system also includes the key for the decryption of data. "That's where you run into trouble," he said, because the decryption key brings the system back into PCI scope. However, tokenization offers less of a need for data to be detokenized, which therefore lessens businesses' exposure to PCI scope, he said. Securosis advises against using "some technologies and deployment models that, frankly, should not have been lumped into the supplement, because they don't simplify and reduce risks in the way any merchant should be looking for," Lane added.

Looking out for merchants

Lane admitted that Securosis' opinion on the PCI SSC's tokenization supplement will anger "many interested stakeholders." But he considers this result unavoidable. "Our guidance is geared toward making the lives of merchants who buy tokenization solutions easier, rather than avoiding conflict with vendor products or PCI Council politics," Lane stated in a December 2011 white paper titled Tokenization Guidance: How to Reduce PCI Compliance Costs. "No technology vendor or payment provider ever endorses guidance that puts their product or service in a bad light, so not everyone will agree with our technology recommendations."

Lane said that, according to the PCI SSC tokenization guidelines, "PCI DSS scope can never be reduced with tokenization," and that, rather than define what is out of scope, the said guidelines outline "many objectives to be met, apparently without regard for where the credit card vault resides or the types of tokens used." The Tokenization Guidance: How to Reduce PCI Compliance Costs white paper can be accessed at www.liaison.com/docs/whitepapers/liaison---tokenization-guidance-whitepaper.pdf. end of article

For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing