Visa Releases Global Best Practices for Card Data Tokenization
Visa has announced global industry best practices for card data tokenization.
Based on Visa's experience working with the industry and also insights from data compromise investigations, the tokenization best practices are the latest in a series of guidance to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts. Tokenization is the process through which a credit or debit card's 16-digit primary account number (PAN) is replaced by proxy numbers.In a related announcement, Visa is clarifying existing operating regulations to ensure that acquirers and issuers allow merchants to present a truncated, disguised or masked card number on a transaction receipt for dispute resolution in place of the full 16-digit card number.
Visa's Best Practices for Tokenization, Data Field Encryption, and PAN Storage and Truncation may be found online at www.visa.com/cisp.
Merchants and processors that use tokens in accordance with best practices are able to limit PAN storage, significantly reducing the risk that sensitive cardholder data may be stolen by data thieves. Visa has provided a type of single-use token for many years; transaction IDs are provided in place of card numbers for every transaction processed by VisaNet, so merchants may utilize it for settlement and other ancillary processes with the support of their processors. The best practices also address multi-use tokens, which can be used for more complicated purposes such as fraud management, recurring or subscription payments, and merchant loyalty programs."Where properly implemented, tokenization may help simplify a merchant's payment card environment," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "However, we know from working with the industry and from forensics investigations, that there are some common implementation pitfalls that have contributed to data compromises. For example, entities have failed to monitor for malfunctions, anomalies and suspicious activity, allowing an intruder to manipulate the tokenization system undetected. As more merchants look at tokenization solutions, these best practices will provide guidance on how to implement those solutions effectively and highlight areas for particular vigilance," he added.
"Tokenization is one more element in a merchant's anti-fraud and PCI compliance toolkit. Particularly valuable for card-not-present and recurring payment applications, tokenization also retains the merchant's ability to perform marketing and fraud analytics while getting card number data off the merchant's systems and easing some of their Payment Card Industry Data Security Standards obligations," said George Peabody, Director, Emerging Technologies at Mercator Advisory Group.
Perez also noted that other sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN and PIN block should never be stored after the authorization for any reason. "Tokenization is intended as a complement to, rather than a replacement for, the Payment Card Industry Data Security Standard," he said. "While tokenization and encryption solutions can streamline a merchant's environment, strong security layers are required to protect against data compromise."
Add your comment... (note that all comments are reviewed before they're published)