Avivah Litan and I just published a research note “Using Tokenization to Reduce PCI Compliance Requirements.” Tokenization does not replace encryption, but in many scenarios it can help reduce the number of places that card data (or any other type of sensitive data) is stored – which is invariably a good thing.
However, tokenization is just about at the peak of a rapid hype cycle – it is not a panacea for PCI compliance, and it brings on many unique challenges, as we go through in the note. We’ll be putting a decision framework research note soon on the “buy vs. build” of tokenization in the PCI context, with guidance on how to think through whether to outsource payment processing or implement your own encryption and tokenization solution.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.