Visa Releases New Guidelines For Protecting Card Data

Visa has released guidelines on tokenization to help merchants and card processors better protect customer credit card data and potentially reduce the burden of complying with PCI rules. Tokenization transforms a credit card number into a random number that can be associated with the account number but can't be used for transactions. Merchants and retailers often have to store customer card data for functions such as customer refunds or voiding a purchase. By using tokens instead, merchants and retailers no longer have to store card data, reducing the risk of theft or exposure of their customers' account numbers.

The million dollar question is whether tokenization will make it easier to comply with the PCI Data Security Standards (PCI DSS). In theory it should, because the PCI rules only apply to networks and devices that store, process and transmit card account data. When properly implemented, tokens are not card data, so any system that uses tokens will likely fall outside the scope of the PCI rules. "A data warehouse that receives random tokens, and has no way to send tokens back across the firewall to redeem them as a credit card, that warehouse should be out of scope for an assessment," says Gary Palgon, vice president of product management at nuBridges, which sells encryption and tokenization software and services. Palgon is also a member of a scoping special interest group for the PCI Security Standards Council.

Of course, the PCI Security Standards Council will have the final say on whether and how tokenization will affect the scope of PCI. Bob Russo, general manager of the council, says it will release its own guidelines around tokenization after September of this year. Russo also notes that its guidelines will only be supplemental to PCI requirements, and not an official component of its standards. "A primary reason is that solutions such as tokenization minimize the value of data if compromised, whereas the PCI DSS standard is a set of criteria to protect cardholder data that has recognized value," says Russo.

In any case, tokenization can't happen overnight. Multiple parties, including merchants, the acquiring banks that accept card payments from merchants, and the card processors that manage the transactions between merchants and acquirers, all have to sign on to a tokenization system. There are also no industry standards around tokenization, including methods for generating tokens, which may make organizations reluctant to adopt a particular product. Of course, that hasn't stopped the market from moving forward. Several card processors offer tokenization, including Heartland Payment Systems, First Data and Merchant Warehouse. 

You can read Visa's guidelines on tokenization here. The guidelines are not yet official rules; the card brand is accepting feedback on its recommendations until August 31st. For more information on PCI and the potential impact of tokenization and other technologies, such as end to end encryption, check out a recent InformationWeek Analytics report here. Registration is required.