Jul 14 2010
If you’ve been thinking about using tokenization or truncation to limit the scope of your PCI environment, you need take a few minutes to read the two documents Visa just released, Visa Best Practices: Tokenization and Visa Best Practices for Primary Account Number Storage and Truncation. Neither of these documents are more than four pages in length, so they only take a few minutes to read, but they give you a good starting place for asking questions about both of these market spaces. There’s nothing exciting or unexpected in either of these documents and you’ll need to do a lot more research to understand the more complex elements of both solutions, especially as they relate to your specific environment.
If you’re part of a merchant organization or somehow dealing with credit card numbers and you’re not considering tokenization or truncation, why not? Is it lack of time, lack of resources, lack of management backing or something else? Have these technologies simply not risen to the level where you felt the need to take them seriously? I’m curious as to why you might not be looking at a technology that could limit the amount of sensitive information on your network. I’ve talked to a number of merchants over the last year and there’s been plenty of interest in the ideas of tokenization and truncation, but I’ve only seen a few merchants actually making a move towards implementation.
I hope the next guidance we’ll see comes from the PCI Council, giving instructions on how both of these technologies can be used to reduce the scope of a PCI assessment. What can you take out of scope? What common mistakes might bring systems back into scope? What should we be looking for in an implementation? These are still relatively new technologies, the implementations differ significantly enough that greater direction and care are going to be needed in their assessment and validation. There are some things that are laid out in the Visa documents, but I think we need to look for more specific guidance from the Council.