Tokenization and PCI Compliance: FAQs
The data security rules around payments can be puzzling to new and seasoned payments professionals alike. Moreover, while the Payments Card Industry Data Security Standard (PCI DSS) outlines encryption best practices for meeting PCI compliance, much can be left up to interpretation.
What is payment tokenization and how does this impact PCI compliance? Read on for answers to this and several other frequently asked questions we receive.
What is Payment Tokenization?
Payment tokenization is a process of replacing sensitive payment information, such as a credit card number, with a unique identifier or token that can be used for payment transactions. The tokenization process creates a random string of characters that represents the actual payment information, which is stored in a secure token vault. The token can then be used to process payments, without exposing the actual card information to potential attackers or fraudsters.
Tokenization is used to secure online, in-app, and mobile payments, where sensitive payment data is transmitted across multiple devices and networks. By tokenizing payment data, merchants and payment processors can reduce the risk of data breaches and protect sensitive customer information.
Is Tokenization of Payments Data PCI Compliant?
Yes, tokenization is a PCI-compliant way to secure and mask sensitive cardholder data.
According to PCI DSS Requirement 3, encryption, masking, hashing, and tokenization - to name a few - are critical ways to protect account data and are necessary for maintaining compliance. Tokenization, in particular, replaces the sensitive cardholder data (CHD) with an irreversible token that would be effectively useless should malicious individuals come into contact with it.
However, the implementation of the tokenization must also be compliant. For instance, if you are leveraging a third-party tokenization provider for secure CHD storage, known as a cardholder data environment (CDE), that CDE must also meet PCI compliance requirements. While you may build the CDE in-house, building and maintaining the necessary infrastructure and programs can require hundreds of thousands of dollars and months to implement and assess. Third-party tokenization providers, like Basis Theory, provide the platform, infrastructure, and tools to secure cardholder data in minutes without these costs and distractions.
Does Tokenization Reduce PCI Compliance Burden?
When used effectively, tokenization can reduce PCI compliance burden, but it won’t eliminate it completely. This will, however, reduce PCI compliance scope and potentially shift the compliance burden onto a third party.
Reduced Scope: Because you replace the sensitive card data with tokens and don't store sensitive cardholder data (CHD) in your systems, you will reduce the compliance scope of your systems. This translates to fewer PCI requirements you need to comply with.
Shifted Responsibility: When you use a tokenization service, the responsibility for storing and securing the actual card numbers often falls on the tokenization provider. These providers are typically PCI DSS compliant and specialize in securing sensitive data. This can lessen the burden on your business to maintain strict PCI compliance for card data storage.
As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.
What Are My Payment Tokenization Options?
Each merchant effectively has three payment tokenization options: universal tokens, payment service provider tokens, and network tokens.
- Universal Tokens: These tokens are designed to be used across various different channels, payment networks, and processors without needing to be recreated or replaced. They are the most flexible and are offered via third-party tokenization providers.
- PSP Tokens (Payment Service Provider Tokens): These tokens are issued by a specific payment service provider (PSP) and are only valid within that provider's network. They are convenient for transactions processed through that particular PSP but limit usability with other providers.
- Network Tokens: These tokens are issued directly by card networks like Visa, Mastercard, or Amex. They are designed to replace the card details (PAN) and can be used with any PSP or acquirer connected with the issuing network. They offer wider acceptance within the network but might not be compatible with all processors.
Depending on whether you require simplicity, flexibility, or network reach, consider which payment tokenization option might be right for your business.
How do I Learn More about PCI Compliance?
All merchants that accept or process payments must become PCI compliant and understand what the rules mean for them.
We created an article that discusses the 12 requirements of PCI DSS, its history, what is in scope, and what this means for merchants.
For more in-depth information straight from the source, review the PCI Security Standards Council resource library which has the most detailed and up-to-date information.