New PCI Edict: Tokens Can Be Out-Of-Scope
Written by Evan SchumanAugust 12th, 2011
The PCI Council on Friday (Aug. 12) will, for the first time, offer guidance on tokenization—guidance telling retailers they can, indeed, be considered out of PCI scope if they properly use tokens. But the Council stressed that if the token is ever reversed into data on the retailer's systems, everything is fully back in scope. "There has to be recognition by the merchant that reversing that and being able to again see primary account number and be able to use and execute against account data brings those systems back into scope," said PCI Council Chief Technology Officer Troy Leach.
Leach added that the biggest token-related mistake he's seen retailers make is enabling the data to be de-tokenized during chargebacks, refunds or for loyalty tracking. "That's probably the oversight we see most often: not recognizing back channels where the merchant still may receive that account information."
This Story Is Only Available For Premium Subscribers. Click Or Login In Below To Read The Rest Of This Story.
Already a Subscriber? Login Here
2 Comments | Read New PCI Edict: Tokens Can Be Out-Of-Scope
Leave a Reply
Readers, specifically those who want to comment on a story:
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
Our Comment SPAM system is getting very aggressive these days and has been blocking legitimate comments. If you post a comment and don't see it appear within 2 hours or so, can you please send a heads-up to customer-service@storefrontbacktalk.com? Ideally, please include the time you posted the comment. That will allow us to try and hunt for it. Thanks! P.S. We're working on fixing the system, but we don't want to lose any valuable comments in the meantime.
-Christine
August 12th, 2011 at 8:39 pm
We have several issues with the Tokenization Guideline as published by PCI SSC. Basically they took a simple concept that helped merchants with security and compliance, added some lard, and now the “simple concept” allows for “valuable tokens”, opening security holes and complicating compliance. Not good. On page 20, we find this little gem: “Additionally, tokens that can be used to initiate a transaction might be in scope for PCI DSS.” Might? Wasn’t the whole purpose of this document to take what “might” be true and determine what really is true? What was released today was not an industry standard, and it was not a guideline. It was an eloquently worded, poorly veiled passing of the buck from the PCI SSC to individual acquirers and QSAs.
August 15th, 2011 at 1:41 pm
Well, I don’t think I would speak as harshly about the guidelines as Steve. I think they are a good first step. However, I do have an issue with the last section, which as it is currently written will introduce a lot of fear, uncertainty and doubt into many merchant’s minds regarding how to keep the systems they have which are storing only tokens out of scope. For solutions which support these types of tokens, the guidelines state that there must be additional controls in place to detect and prevent fraudulent transactions. This is where I feel the Council’s document fell short…when they introduced this concept that tokens may potentially be back in scope without providing guidance as to how to keep them out of scope.