Data Tokenization Considerations
The trend in IT over the last decade has been towards outsourcing. In fact, Gartner (PCI Compliance Is Hard to Achieve but Worthwhile, May 4, 2007) states that outsourcing PCI data storage is a best practice. By moving cardholder data out of the less secure internal environment to a secure third partys infrastructure, the costs and difficulties of achieving and maintaining PCI compliance can be significantly reduced.
When considering possible approaches to PCI compliance, an organization must remember that being PCI compliant is not a one-time effort. Controls must be sustainable and able to ensure ongoing compliance with the broad requirements of the PCI DSS. Eliminating stored cardholder data from the environment can greatly increase the sustainability of the controls being implemented for PCI compliance.
What is Data Tokenization?
Data Tokenization was pioneered by Shift4 Corporation, who defines it as follows:
The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In PCI context, tokens are used to reference cardholder data that is stored in a separate database, application or off-site secure facility.
This is a rapidly developing industry, so the companies providing these services are changing quickly, with new players coming into the market every month. Currently, some examples of Data Tokenization providers include:
- Shift4
- Braintree Payment Solutions
- Skipjack
- Chase Paymentech
- MerchantLink
- Merchant e-Solutions
- nuBridges
- Authorize.NET
- 3Delta Systems
- Paymetric
Each of these vendors has different solutions, capabilities and pricing models which will have to be explored at the proper time to determine the most appropriate solution for your organization.
What are the Benefits of Data Tokenization?
By implementing data tokenization, an organization can completely eliminated stored cardholder data from their environment. This may not eliminate PCI obligations, since cardholder data in transitthrough the environment also puts those systems in scope for PCI. However, without stored cardholder data, there are significant benefits because a number of challenging PCI requirements will become non-applicable.
For example, a Level 1, 2 or 3 merchant who is able to validate PCI compliance by means of a self-assessment questionnaire (SAQ) would have to use the Self-Assessment Questionnaire Type D if there is any stored cardholder data in the environment. The Type D questionnaire has 201 questions to address (essentially one for each requirement in the PCI DSS). On the other hand, if there is no stored cardholder data, the organization may be able to validate compliance by means of the Self-Assessment Questionnaire Type C, which contains only 42 questions. The 159 requirements not included in the Type C questionnaire include some challenging ones, such as all of the encryption key management requirements, secure application development requirements, file integrity monitoring, and many others.
How Does Data Tokenization Work?
There are a variety of approaches for data tokenization, but there are two varieties that are most common. In one case, cardholder data is sent to a third party where it is tokenized and stored securely in the third party’s secure data vault. In the other case, a data tokenization solution is deployed within the existing network and used to consolidate all stored cardholder data in one secure place. While the latter approach has the benefit of letting the organization maintain full control of all cardholder data, this approach also has some disadvantages, as this would still require the more extensive Self-Assessment Questionnaire Type D for validation, since there would still be stored cardholder data within the environment.
In traditional e-commerce setups, cardholder data passes through the merchants web server (and may be stored within the environment as well), which puts these systems in scope for PCI compliance.
Figure 2 – Data Tokenization Using a Third Party Service Provider:
Figure 3 – Data Tokenization Solution Deployed Internally:
Organizations should evaluate current business processes related to credit card acceptance and determine whether it is necessary to store cardholder data after the initial transaction (usually for credits and/or recurring transactions). If having such data after the initial transaction is not necessary, this data should simply not be stored in the first place. If the data is required, the organization should consider one of the above data tokenization approaches to reduce the costs and risks associated with having that stored cardholder data.
Jeremy Simon, PCI QSA, CISSP, CISA
Practice Lead, PCI Compliance Services