Visa: Tokenization ‘Particularly Valuable’ for CNP Payment Environments

July 22, 2010

Visa Inc. recently announced best practices for tokenization, which it said will provide a safer retail payment environment for merchants, vendors, service providers and acquirers. Tokenization is the process through which a credit or debit card’s 16-digit primary account number (PAN) is replaced by proxy numbers. The card brand said merchants and processors that use tokens in accordance with best practices are able to significantly reduce the risk that sensitive cardholder data will be stolen. “As more merchants look at tokenization solutions, these best practices will provide guidance on how to implement those solutions effectively and highlight areas for particular vigilance,” said Eduardo Perez, head of global payment system security, Visa Inc. According to George Peabody, director, emerging technologies at Mercator Advisory Group, tokenization is particularly valuable for card-not-present and recurring payment applications. Visa’s best practices include defining the processes for: how a token is generated, associating a token to its original PAN value, establishing a central repository of cardholder data that is used by the token mapping process and how cryptographic keys are managed and used to protect cardholder and account data. “Tokenization is intended as a complement to, rather than a replacement for, the Payment Card Industry Data Security Standard,” Perez cautioned. “While tokenization and encryption solutions can streamline a merchant’s environment, strong security layers are required to protect against data compromise.”