John PescatoreAvivah Litan and I just published a research note “Using Tokenization to Reduce PCI Compliance Requirements.” Tokenization does not replace encryption, but in many scenarios it can help reduce the number of places that card data (or any other type of sensitive data) is stored – which is invariably a good thing.
However, tokenization is just about at the peak of a rapid hype cycle – it is not a panacea for PCI compliance, and it brings on many unique challenges, as we go through in the note. We’ll be putting a decision framework research note soon on the “buy vs. build” of tokenization in the PCI context, with guidance on how to think through whether to outsource payment processing or implement your own encryption and tokenization solution.
Category: Uncategorized Tags:
1 response so far ↓
1 Chuck Riegel September 23, 2009 at 12:37 pm
Great brief – lot’s of confusion. Most payment gateways have had Token capabilities for some time. The Token really has an impact on certian types of transactions – Auth/Capture, repeat customers, recurring and subscriptions are the main transaction used where data needs to be stored somewhere for follow on activity. One issue is that the data from the POS is in the clear as the Token is created so encryption at the swipe is needed. Reduce cost of PCI – absoutely, protecting access to useable card data – only part of what is needed.
Leave a Comment