Tokenization – a panacea for credit card number security?

3 03 2012

by Pragati Mathur

The concept of tokenization has been around for a few years. However, acceptance in security realm has not been that good. Lately though, with major security incidents occurring at companies such as Sony PlayStation, this concept has taken prominence. Moreover, a lot of new vendors have come into the market with offerings in this space. Payment Card Industry (PCI) Security Standards Council has finally come up with guidelines on how to implement tokenization.

They recently (August 2011) published a document PCI DSS Tokenization Guidelines Information Supplement. The guide outlines how to stay PCI compliant while using a tokenization system in a cardholder data environment (CDE).

What is Tokenization?

Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a – token [1]. Instead of storing sensitive cardholder data (CD), we store tokens. Tokens are random strings and are not sensitive or easy to decipher.

Rather than use encryption to secure the card data, replacement of PAN with tokens will eliminate the threat of a data breach. This will enable merchants who accept credit cards not to have sophisticated security mechanisms in place to do business transactions with credit cards. Merchants do not need to store PANs in their CDE or processing systems. Tokens will now be stored and tokens will be used to complete transactions with the payment processing service providers.

By implementing tokenization, PCI DSS requirements will get potentially reduced. PCI was clear in its guidelines with respect to tokenization. The key principles are [1]:

  • Tokenization solution does not eliminate the need to maintain and validate PCI DSS compliance.
  • Regular verification of the effectiveness of a tokenization implementation is necessary.
  • Tokenization systems and processes must be protected with strong security controls and monitoring.
  • Thorough evaluation and risk analysis to identify and document the unique characteristics of particular implementation, including all interactions with payment card data and the particular tokenization systems and processes should be done prior to implementing Tokenization solution.

How does tokenization work?

There are several ways of implementing tokenization. PCI DSS Tokenization Guidelines Information Supplement describes the tokenization and de-tokenization process as follows:

Tokenization Process (Source: PCI DSS Tokenization Guidelines Information Supplement)

  1. A requesting application passes a PAN along with authentication information to tokenization system.
  2. The tokenization system verifies the authentication information. If verification succeeds, it progresses to next step, else tokenization process stops and information is logged.
  3. The tokenization system generates a token associated to the PAN and both the token and the PAN are recorded in the card data vault.
  4. Generated token is returned to the requesting application.

De-tokenization is basically a reverse process.

De-Tokenization Process (Source: PCI DSS Tokenization Guidelines Information Supplement)

  1. The requesting application passes a token and authentication information to tokenization system.
  2. The tokenization system verifies the authentication information. If verification succeeds, it progresses to next step else the de-tokenization process fails, and information is logged.
  3. The tokenization system queries the card data vault for a record associated with the token and retrieves the PAN.
  4. PAN value retrieved from the card data vault is returned to the requesting application.

Card data vault has strict PCI DSS requirements. The PAN numbers are encrypted and stored. Some implementations tokenize the PAN number into multiple tokens and store it in distributed vaults. This pretty much makes it impossible to decipher the PAN in the data vault.

Merchant Realm

Once tokenization is implemented by a merchant, the process for the merchant will be:

  • Merchant accepts credit and debit cards in the usual manner.
  • Cardholder data is securely transmitted to PCI DSS compliant storage facility.
  • A token is created by the storage facility and returned to merchant.
  • The token is now stored at the merchant in place of cardholder data.
  • Future payment transactions for the same customer are transmitted by the merchant using the token in place of cardholder data.

Tokenization simplifies merchant systems

The PCI DSS Tokenization Guidelines recommend tokenization to be used in partnership with PCI DSS and not to be viewed as a replacement or alternative. While tokenization limits PCI scope, there are still PCI security requirements, as the council outlines. If the merchants access the PAN even after tokenization, for any reason, full PCI DSS requirements will apply.

Since we do not store PAN/Credit Card Information in merchant systems, PCI DSS restrictions are eliminated. All the strict processes and procedures can now be relaxed. This will reduce system configurations, network restrictions and will reduce overheads. So implementing tokenization would simply merchant systems. PCI compliance becomes much easier to achieve.

Current Technologies and Products

Tokenization technology vendors are very limited as of now. Protegrity, Wirecard AG., Shift4’s 4Go SafeSwipe, EPX’s BuyerWall and Merchant Link’s TransactionVault are the major products. There are several payment processing services who offer software as a service offering of tokenization solution as well.

Why tokenization is not widely adopted

According to Randy Carr, Vice President of Shift4 [2], tokenization will minimize the use of firewalls, intrusion detection systems and encryption. This is causing detraction in the industry. Moreover credit card companies generate revenue via security fees to merchants. By making the credit card info secure via tokenization would put that revenue in jeopardy.


Tokenization reduces the scope of cardholder data environment (CDE) of a merchant by offloading the storage of card number to a payment processing facility. This in turn relaxes PCI DSS restrictions and simplifies merchant systems and to achieve PCI compliance. This also helps new businesses to accept and process credit cards. Tokenization makes the card numbers secure in the payment center facilities as well thus minimizing leaks and hacker proof.

If implemented correctly, tokenization will act as panacea to the business. But before they adopt this technology, they should do a thorough evaluation and risk analysis.


1.  Information Supplement: PCI DSS Tokenization Guidelines – Scoping SIG, Tokenization Taskforce PCI Security Standards Council (
2.  ‘Tokenization’ touted to increase credit card data security – Jay MacDonald (


When can you Trust an online transaction?

1 10 2011

by Fahad Alkhowaiter

Is your credit card information stored with other companies like apple or Zipcar? Can you trust your information with them? A big well reputable company like Sony failed in protecting its customers’ credit cards information, what prevent other companies from failing in doing so. In fact, how companies should proof to its customers that they are trustworthy of holding their information securely? How can those companies communicate this in an easily understandable manner for the average internet user? Actually, do companies need to store credit cards information? If they do, for how long they can legally keep it?

Nowadays, people just input their credit card information to get goods or services online. After that, they are unaware of what happens with it. Personally, I want to know if my information is protected, because, whoever gets this information can steal my money easily. The solution for this is to adopt PCI (Payment Card Industry) standard with all companies dealing with credit cards. Currently, PCI is used, but not in a mature way.

Before I explain how PCI standard can be used for this purpose, I want to give a brief overview of PCI. There are many kinds of PCI compliance levels depending in how credit cards are handled. For example, companies who process and store credit card information are in a certain PCI level with lots of security requirements. On the other hand, companies that use the credit card only for one purchase and don’t store credit card information, or use a third party (like PayPal) to process payments for them have less strict requirements.

Whenever I shop for things in the internet, I rarely see “PCI Compliant” with companies providing online payment service. The average user should know if the company processing his/her critical information is PCI compliant, whether it is a big reputable company like or small unknown business like In the future, average internet user should know what PCI standard is.

Currently, PCI body is providing a list of companies that can “assess” if you are PCI compliant. Press on this link to access those companies. We need to have a more formal way to “certify” rather than “assess”. In this way, customers can be more assured and companies will be more pressured to adopt security.

In addition, each company needs to display its PCI category to the customers so they know what level of clearance that company has. So, if certain company has PCI clearance to process payment through a third party, it should state its level of clearance. This should be displayed in a very simple language understandable to the average internet user. so that consumers know what they are getting themselves into before providing their data.

I want to shed light on the period of retention of the credit card information. Retention period should be clearly stated when paying. The credit cards information should be kept only when needed. No company should hold for credit card information for more than a year except after prompting the user and request for his/her permission. In this way, we guarantee that no company holds credit card information that doesn’t need. For example, this article clearly states that Sony lost credit cards data from 2007! Why would Sony keep such information for this long? Sony should be sued for this.

In order to improve security for our online shoppers, PCI needs to have more formal ground where there should be a certification body that conducts periodic audits. In addition, PCI should give a portal for average user where he/she can map the level of PCI clearance of any company he/she deals with. Finally, PCI standard should force companies to explain the handling of the credit card information in a brief clear way during payment, not imbedded in a long terms and conditions list. Example of such information is, “we will be storing your credit card information securely for 3 month to make sure we process your transaction properly. After that it will be deleted permanently”.