The PCI Security Standards Council has released a new Information Supplement, titled “PCI DSS Tokenization Guidelines” that provides additional clarifications regarding the use of tokenization technologies and services to reduce the scope of PCI compliance.
The full document is available here.
The document includes guidance and clarifications for those considering tokenization, including the following:
- Detailed descriptions of tokenization approaches and related components
- Roles and responsibilities of Merchants vs. Tokenization Service Providers
- PCI DSS Scoping considerations when using tokenization
Like the other Supplemental Guidance documents before this one, this guidance is meant to support and clarify the requirements that are already part of the DSS. The PCI Council clearly points out that the information “does not replace or supersede the requirements in the PCI Data Security Standard”.
Those with a strong grasp of the DSS, security best practices, and data tokenization concepts will probably find that this document does more to confirm current assumptions than to provide new insights or information. It seems that these documents are aimed more at those without a strong understanding of the DSS or how tokenization works, to help them avoid implementing a solution that does not achieve the desired objectives for PCI scope reduction and/or risk reduction.
For any organization currently planning or considering tokenization, this document is a must-read, if for no other reason than to ensure you can ask the right questions of your tokenization vendor to ensure you’re getting the right guidance.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services
PCI DSS Requirements
PCI DSS Requirement 5.4.1: Anti-spoofing controls such as DMARC, which stands for Domain-based Message Authentication, Reporting and Conformance, Sender Policy Framework (SPF), and Domain Keys Identified Mail (DKIM) can help stop phishers from spoofing the entity’s domain and impersonating personnel.
Clarification on eCommerce Outsourcing PCI DSS requirements 6.4.3 and 11.6.1
Unpacking the New PCI DSS Password Standards
Is Your Organization Prepared for PCI DSS Automation – Requirement 10.4.1.1?
What is the PCI DSS v4 Authenticated Scanning Mandate – Requirement 11.3.1.2?
What is the PCI DSS v4.0.1 Requirement for PoLP – Requirement 7.2.5?
The New PCI DSS v4.0.1 Software Catalog Mandate – Requirement 6.3.2
How to Analyze An Attestation of Compliance (AOC)
PCI Compliance New Requirements and Targeted Risk Analysis (TRA)
RESOURCES & NEWS
Learn more about Penetration Testing and new exploits in HALOCK’s Exploit Insider.
The Dangers of Legacy Protocols
PCI Targeted Risk Analysis & DoCRA
https://www.halock.com/pci-compliance-new-requirements-and-targeted-risk-analysis/
HIPAA & Penetration Testing & Incident Response Plans
Top Threats in Healthcare
https://www.halock.com/top-cyber-threats-in-healthcare/
Cloud Security Risk Management
https://www.halock.com/prioritized-findings-and-remediation-in-cloud-security-reporting/
Penetration Testing Reports to Manage and Prioritize Risk
https://www.halock.com/a-threat-based-approach-to-penetration-test-reporting/
HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on reasonable security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.
