November 4, 2011

Tokenization IS Encryption – NOT! – Part 3

This is the final post of a three-part series written by Steve Sommers, Shift4’s SVP of Applications Development. The first two sections can be found here, and here.

As If Things Aren’t Muddy Enough!
PCI SSC accommodated various TINO solutions in the Tokenization Guidelines which drastically complicated and, in many aspects, contradicted the original tokenization definition and intent. Because of the weaknesses that the guidelines introduced, PCI SSC added this little disclaimer within the document (there are others, but I particularly like this one): “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS, even if they cannot directly be used to retrieve PAN or other cardholder data; merchants should therefore consult with their acquirer and/or the Payment Brands directly to determine specific requirements for tokens that can be used as payment instruments.” This essentially translates into “use at your own risk, and only your QSA can determine scope.”

There is another side-effect of PCI SSC’s accommodation of TINO solutions. The PCI SSC Tokenization Guidelines allow for encrypted data to be used as tokens and then they all but stated “use at your own risk and only a QSA can determine scope.” Following on the heels of the Tokenization Guidelines, PCI SSC published “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance,” a guideline for Point-to-Point Encryption (P2PE). The P2PE guidelines state that P2PE data can be considered out-of-scope for many portions of PCI DSS. Since tokens can consist of P2PE data, should tokenization solutions receive the same scoping benefits? True Tokens have no value other than by reference, but encrypted data – real data that can be decrypted – gets the benefit of being out-of-scope!

To me, it’s obvious that the P2PE vendors inserted themselves in the Tokenization Guidelines development process but tokenization vendors did not return the favor, even though TrueTokens are safer than P2PE data (a TrueToken cannot be decrypted, while P2PE data can always be decrypted). This is a case where PCI and true security go separate directions.

If you’re a merchant reading this to figure out tokenization, demand a TrueTokenization solution. While PCI lumps TrueTokenization and TINO solutions into a single category, your goal should be to prevent a breach. TINO solutions may or may not compliment your overall security, whereas a TrueTokenization solution will.

If you are a QSA reading this, PCI didn’t do you or your customers any favors with their Tokenization Guideline. Educate yourself and know the difference between TrueTokenization and TINO.