Oct 04 2010
I make no bones about it, I’m a very big fan of the concept of tokenizing credit card numbers as early in the merchant stream as possible. For some merchants this will mean that they are replacing their credit cards with random tokens in their back end servers, using the token internally, but still storing the credit card in a heavily defended server somewhere in the data center. For other merchants tokenization will mean encrypting the data at the PIN pad, sending it to their acquiring bank and receiving a token to use in place of the credit card number within their own systems and thereby taking most of the merchant’s systems out of scope for a PCI assessment.
These sound like, and are, both worthy uses of tokenization, there’s a lot of confusion about the difference between these two extremes of the technology and especially about how these differences can affect your implementation and scope! Which is why I’m glad to see an article like Walter Conway’s, “Playing Token Trick or Treat“. As much as many people would like to see a straight forward review of specific products that allow for tokenization, this is still to much of a nascent technology for reviews to be realistic or useful. Anyone who implements a tokenization solution will be on the cutting edge, and in many cases will be beta testing technologies for the manufacturers. It’s early enough in the process that by being involved in a tokenization project, you can actually have a large influence on the products we see over the next few years. Which is exactly why it’s so very important to know exactly which questions to ask when evaluating and implementing a tokenization solution.
Walt’s first question is probably the most important of them all, “Have you found all your cardholder data?” Even if you’re not assessing a tokenization solution, this is an important question to be asking yourself on a regular basis. And once you’ve asked it, go back and ask again. And again. And again. Until you’ve asked half a dozen or more times and continue to ask every few months, you won’t have any level of certainty that you’ve found it all. Even then, it’s possible you’ll develop a leak somewhere and cardholder will pollute portions of you’re network that were never intended to hold or secure cardholder data.
Walt has a good number of other questions you should be asking if you’re assessing, or just curious about, a tokenization solution. Make sure you understand the possibilities and the pitfalls of any solution before you make the leap of faith required to implement such a young technology.
Update 10/11/10: Here’s the second article on tokenization and some of the questions to ask, “If your token vendor goes bankrupt, what happens to your data?”