John Pescatore

A member of the Gartner Blog Network

John Pescatore
VP Distinguished Analyst
11 years at Gartner
32 years IT industry

John Pescatore is a vice president and research fellow in Gartner Research. Mr. Pescatore has 32 years of experience in computer, network and information security. Prior to joining Gartner, Mr. Pescatore was senior consultant for Entrust Technologies and Trusted Information Systems… Read Full Bio

Coverage Areas:

A Token Effort Might Be The Right Approach

by John Pescatore  |  August 12, 2009  |  1 Comment

Avivah Litan and I just published a research note “Using Tokenization to Reduce PCI Compliance Requirements.” Tokenization does not replace encryption, but in many scenarios it can help reduce the number of places that card data (or any other type of sensitive data) is stored – which is invariably a good thing.

However, tokenization is just about at the peak of a rapid hype cycle – it is not a panacea for PCI compliance, and it brings on many unique challenges, as we go through in the note. We’ll be putting a decision framework research note soon on the “buy vs. build” of tokenization in the PCI context, with guidance on how to think through whether to outsource payment processing or implement your own encryption and tokenization solution.

1 Comment »

Category: Uncategorized     Tags:

1 response so far ↓

  • 1 Chuck Riegel   September 23, 2009 at 12:37 pm

    Great brief – lot’s of confusion. Most payment gateways have had Token capabilities for some time. The Token really has an impact on certian types of transactions – Auth/Capture, repeat customers, recurring and subscriptions are the main transaction used where data needs to be stored somewhere for follow on activity. One issue is that the data from the POS is in the clear as the Token is created so encryption at the swipe is needed. Reduce cost of PCI – absoutely, protecting access to useable card data – only part of what is needed.

Leave a Comment