In addition to meeting PCI DSS requirement 3.4 (Render Pan unreadable), data tokenization is utilized in many organization to reduce the size and scope of the cardholder data environment (CDE).
Stored tokens are not cardholder data, and therefore associated databases (and all other system securing or connected to the database) are out of scope for PCI compliance. However, the other system(s) transmitting the full PAN to the payment gateway, are still in-scope. This is a common misconception amongst organizations working with tokenization solution providers.
The most common implementation of data tokenization is for e-commerce transactions. Customers enter their full PAN for payment processing. The web/application server hosting that web page, is transmitting the full PAN and is therefore in scope for PCI compliance. When engaging with tokenization solutions providers, merchants should ensure the solution is capable of transparent redirect.
In short, via transparent redirect, the payment acceptance fields are not owned by the merchant’s web server, but instead by the payment gateway. The webserver does not have access to that field and can therefore be removed from scope. The payment gateway owns the cardholder data throughout the entire payment process.
As well as reducing the scope of their cardholder data environment, if e-commerce is the only card acceptance channel, merchants eligible for a Self-Assessment Questionnaire (SAQ) may be able to submit a SAQ Type C (42 questions) instead of a SAQ Type D (201 questions).
With data tokenization, merchants can reduce the scope of their e-commerce environment. With transparent redirect, they can potentially remove it completely.
Kristine Olson, PCI QSA
Consultant, PCI Compliance Services