GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Partnerships fuel portfolio growth


Industry Update

Direct Air's bankruptcy threatens JetPay

Coalition responds to retailers' debit rule complaint

Consultancy faults PCI tokenization guidance

Heartland breach suit settled

Selling Prepaid

Prepaid in brief

Expo meets expectations in atmosphere of change

Prepaid goes to Washington


Choosing a partner for life

Justin Milmeister
Elite Merchant Solutions

Technology, a catalyst for ISO growth

Mustafa Shehabi
PayCube Inc.


Street SmartsSM:
Plotting a prosperous future

Jeff Fortney
Clearent LLC

Is it time for you to resell integrated payment systems?

Paul Hunter
Sterling Payment Technologies

As a PCI compliance role model, how do you measure up?

Heather Foster

Use new card fees to build merchant rapport

Jeffrey Shavitz and Adam Moss
Charge Card Systems Inc.

Working with outside marketing experts

Peggy Bekavac Olson
Strategic Marketing

No more contract-signing hurdle

Steve Norell
US Merchant Services Inc.

Company Profile

Electronic Payment Exchange

New Products

Wireless payments at the restaurant table

Company: Viableware

Driving donations online for nonprofits

eSelectPlus with DonorDrive
Company: Moneris Solutions


Don't let hot leads slip away


Fulfilling brand promise



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

April 09, 2012  •  Issue 12:04:01

previous next

Consultancy faults PCI tokenization guidance

According to a webinar conducted by research firm Securosis LLC, the PCI Security Standards Council's (PCI SSC's) tokenization guidelines lack exactly that - guidance. In the webinar, Adrian Lane, Senior Security Strategist at Securosis, criticized the council's supplement as offering broad generalizations rather than practical advice on how to implement tokenization as a data security solution.

Lane said the problem with the PCI SSC's tokenization guidelines is that "the supplement is sorely lacking in actual guidance." He faults the supplement for not providing actionable advice on how to maximize Payment Card Industry (PCI) Data Security Standard (DSS) scope reduction using tokenization. The concept of PCI scope reduction means how businesses can set up networks and implement data security solutions that decrease the amount of energy and resources they must spend on fulfilling security compliance responsibilities mandated by the PCI SSC.

According to Lane, Securosis research shows tokenization offers better security, lower risk for merchant fraud and, potentially, significant compliance cost reduction. When properly installed, tokenization should eliminate as much as 50 percent of merchants' PCI DSS compliance costs, he said.

Taking issue with the PCI SSC

In the webinar, sponsored by Liaison Technologies Inc. and entitled What the PCI Task Force Didn't Say, Lane listed "significant gaps" in the PCI SSC's tokenization guidelines, including a failure to:

Lane said encryption alone may not be enough to keep a POS system out of PCI scope if the data encryption system also includes the key for the decryption of data. "That's where you run into trouble," he said, because the decryption key brings the system back into PCI scope. However, tokenization offers less of a need for data to be detokenized, which therefore lessens businesses' exposure to PCI scope, he said. Securosis advises against using "some technologies and deployment models that, frankly, should not have been lumped into the supplement, because they don't simplify and reduce risks in the way any merchant should be looking for," Lane added.

Looking out for merchants

Lane admitted that Securosis' opinion on the PCI SSC's tokenization supplement will anger "many interested stakeholders." But he considers this result unavoidable. "Our guidance is geared toward making the lives of merchants who buy tokenization solutions easier, rather than avoiding conflict with vendor products or PCI Council politics," Lane stated in a December 2011 white paper titled Tokenization Guidance: How to Reduce PCI Compliance Costs. "No technology vendor or payment provider ever endorses guidance that puts their product or service in a bad light, so not everyone will agree with our technology recommendations."

Lane said that, according to the PCI SSC tokenization guidelines, "PCI DSS scope can never be reduced with tokenization," and that, rather than define what is out of scope, the said guidelines outline "many objectives to be met, apparently without regard for where the credit card vault resides or the types of tokens used." The Tokenization Guidance: How to Reduce PCI Compliance Costs white paper can be accessed at

For additional news stories, please visit and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios