Gartner Blog Network

A Token Effort Might Be The Right Approach

by John Pescatore  |  August 12, 2009  |  1 Comment

Avivah Litan and I just published a research note “Using Tokenization to Reduce PCI Compliance Requirements.” Tokenization does not replace encryption, but in many scenarios it can help reduce the number of places that card data (or any other type of sensitive data) is stored – which is invariably a good thing.

However, tokenization is just about at the peak of a rapid hype cycle – it is not a panacea for PCI compliance, and it brings on many unique challenges, as we go through in the note. We’ll be putting a decision framework research note soon on the “buy vs. build” of tokenization in the PCI context, with guidance on how to think through whether to outsource payment processing or implement your own encryption and tokenization solution.


John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Thoughts on A Token Effort Might Be The Right Approach

  1. Chuck Riegel says:

    Great brief – lot’s of confusion. Most payment gateways have had Token capabilities for some time. The Token really has an impact on certian types of transactions – Auth/Capture, repeat customers, recurring and subscriptions are the main transaction used where data needs to be stored somewhere for follow on activity. One issue is that the data from the POS is in the clear as the Token is created so encryption at the swipe is needed. Reduce cost of PCI – absoutely, protecting access to useable card data – only part of what is needed.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.