PCI Council issues PCI tokenization compliance guidance

PCI tokenization document mirrors the Visa Best Practices for Tokenization

Using tokenization technology to eliminate credit card data can reduce the scope of a Payment Card Industry Data Security Standard assessment, but merchants must be careful to avoid many pitfalls associated with the technology, according to a new report issued today by the PCI Security Standards Council.

The long-awaited PCI DSS Tokenization Guidelines outline how tokens can be used in merchant systems and ways to properly deploy the technology, which substitutes tokens in place of primary account numbers (PANs) to limit the movement of cardholder data in the environment. A properly deployed system in certain merchant environments can “potentially” reduce the merchant’s effort to implement PCI DSS requirements, according to the report.

The tokenization document mirrors the Visa Best Practices for Tokenization report, which was issued last summer. Tokens used within merchant analytical systems and payment applications may not need the same level of security protection.