I just returned from the PCI Security Standards Council .  It was great to spend a couple of days talking tech and trends with other security experts.

The hottest trend this year in the payment security industry is “tokenization”.   This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead.  The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).

The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.).  The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls.  All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.

Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology.  However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely.  So far the working group has only provided a definition of the technology (essentially, the one I provided above).   However, a draft recommendation from the Council with specifics is expected around the new year.

Ipswitch’s Jonathan Lampe will be attending this week’s PCI Security Standards Council Community Meeting in Orlando, FL.  He’ll be blogging from the event to keep us updated on discussions about the new PCI DSS 2.0 and other key Council initiatives.

As part of their ongoing mission, The PCI Security Standards Council enhances and evolves the PCI Data Security Standards as needed to ensure that the standard includes any new or modified requirements necessary to mitigate emerging payment security risks, while continuing to foster wide-scale adoption.  We anticipate some very interesting forum conversations to review and discuss how the PCI DSS should evolve with this next release.

In the meantime, thought you’d want to watch this great video from the PCI Security Standards Council website.  BTW, the bearded singer is Bob Russo, the PCI Council’s General Manager.  Great job with the video Bob!