The PCI Security Standards Council has released a new Information Supplement, titled “PCI DSS Tokenization Guidelines” that provides additional clarifications regarding the use of tokenization technologies and services to reduce the scope of PCI compliance.
The full document is available here:
The document includes guidance and clarifications for those considering tokenization, including the following:
- Detailed descriptions of tokenization approaches and related components
- Roles and responsibilities of Merchants vs. Tokenization Service Providers
- PCI DSS Scoping considerations when using tokenization
Like the other Supplemental Guidance documents before this one, this guidance is meant to support and clarify the requirements that are already part of the DSS. The PCI Council clearly points out that the information “does not replace or supersede the requirements in the PCI Data Security Standard”.
Those with a strong grasp of the DSS, security best practices, and data tokenization concepts will probably find that this document does more to confirm current assumptions than to provide new insights or information. It seems that these documents are aimed more at those without a strong understanding of the DSS or how tokenization works, to help them avoid implementing a solution that does not achieve the desired objectives for PCI scope reduction and/or risk reduction.
For any organization currently planning or considering tokenization, this document is a must-read, if for no other reason than to ensure you can ask the right questions of your tokenization vendor to ensure you’re getting the right guidance.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services