Ipswitch Blog

Tokenization 101

| October 2, 2010 | Managed File Transfer

I just returned from the PCI Security Standards Council .  It was great to spend a couple of days talking tech and trends with other security experts.

The hottest trend this year in the payment security industry is “tokenization”.   This technology lifts credit card numbers from sets of data and replaces them with unique one-way tokens (e.g., “234cew23”) in the data instead.  The original credit card numbers are stored in a “secure token vault” and may only be retrieved by authorized people and processes who present another set of credentials (preferably two-factor credentials).

The reason businesses find tokenization compelling is because PCI requirements state that data sets with credit card numbers must be treated with more care than data sets without that information (e.g., just your name, expiration date, etc.).  The higher degree of care often translates into full encryption, good key management, regular key rotation and a host of other security controls.  All these extra controls cost money, so if businesses can ratchet down the sensitivity of their data with tokenization, they can enjoy cost savings by not having to implement (or audit) other security controls.

Anyone buying in at this stage would be an early adopter: the Council has not yet endorsed the use of this technology.  However, the Council has formed a working group to come up with specific guidance (e.g., are hashes OK, if so, which ones, are unique IDs OK, etc.), so some level of future acceptance seems likely.  So far the working group has only provided a definition of the technology (essentially, the one I provided above).   However, a draft recommendation from the Council with specifics is expected around the new year.

How IT Pros Can Save 30 Minutes a Day

How IT Pros Can Save 30 Minutes a Day

Implementing Compliance for Data Privacy in Regulated Industries

Free Webinar: Implementing Compliance for Data Privacy in Regulated Industries
[ do default stuff if no widgets ]

Leave a Reply

Your email address will not be published. Required fields are marked *

Ipswitch Blog

This post was written by Ipswitch Blog

Ipswitch helps solve complex IT problems with simple solutions. The company’s software has been installed on more than 150,000 networks spanning 168 countries to monitor networks, applications and servers, and securely transfer files between systems, business partners and customers. Ipswitch was founded in 1991 and is based in Lexington, Massachusetts with offices throughout the U.S., Europe, Asia and Latin America.