The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government, Restaurants, and Utilities.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts. We look forward to your comments, so please join the conversation.

The Coalfire Blog

New Guidelines Address PCI DSS Tokenization

August 19, 2011, Bruce DeYoung,

Bruce DeYoung

“Tokenization” is one of the best techniques to reduce the risk of credit card data loss. Basically, it is the process of substituting sensitive data with other values not considered sensitive. By doing this, tokenization technology essentially removes anything of value from the data stream, and, after all, what is not there cannot get stolen. This technique can be used with sensitive data of all kinds including financial transactions and medical records.

For the past several months I have been participating in the PCI Tokenization Task Force with a goal to create a guidance document for both merchants and payment application providers, and the result — the PCI DSS Tokenization Guidelines –are now available.

There are a number of companies offering tokenization solutions in the market. The PCI DSS Tokenization Guidelines will be helpful to merchants who are considering implementing tokenization in researching their solution options. That being said, standards and guidance documents by their nature are sometimes difficult to understand. I would encourage everyone to read this document in the context of their own business and within an appropriate-scaled control program and, if necessary, to consult with a tokenization consultant.

Since the inception of the PCI SCC, Coalfire has been a credentialed QSA and PA-QSA firm. In fact, being one of the top firms in both categories, we spend a great deal of time interacting with the council to more clearly understand the standards and guidance which they issue.

At Coalfire, we have participated in the Tokenization-focused groups with PCI SSC and have evaluated a number of vendor tokenization solutions. We understand that this information can be complex and we are here to help customers understand the information security topics and make the right compliance and risk management decisions for their business.

If you have any questions on the new guidelines, I hope you will post them below.

<< Go Back

Blog post currently doesn't have any comments.

Post Topics