PCI SSC Releases Tokenization Guidelines

Aug. 22, 2011

The PCI Security Standards Council (PCI SSC) recently published a guidance documents aimed at providing the market with greater clarity on how specific technologies relate to the PCI Security Standards and impact PCI DSS compliance. The PCI DSS Tokenization Guidelines Information Supplement outlines explicit scoping elements for consideration; provides recommendations about scope reduction, the tokenization process itself, deployment and operation factors; and details best practices for selecting a tokenization solution. The Council said it created the guidance in response to the requests from the PCI community for direction on how tokenization technology may reduce the scope of the cardholder data environment and the effort required to conduct a PCI DSS assessment. “We’ve continued the process to investigate these technologies and ways that the community can use them to potentially increase the security of their PCI DSS effort,” said Bob Russo, general manager of the PCI Security Standards Council. “These specific guidelines provide a starting point for merchants when considering tokenization implementations. The Council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements.”