Payment Card Data Tokenisation
Visa Inc has released a guide to Card Data Tokenization Best Practices.
The intention is to provide guidance on using non-sensitive surrogate values (tokens) as a proxy for card data (typically the primary account number or PAN) by merchants, vendors, service providers and acquirers. This in turn can reduce where card data exists, and therefore the scope for compliance with the Payment Card Industry Security Standards Council (PCISSC) Data Security Standard (DSS). The guidance joins other information in Visa'a Cardholder Information Security Program (CISP).
The guidance describes Visa's best practices for the tokenization system, token generation, token mapping, the card data vault (the secure repository that maps tokens to cardholder data), cryptographic key management and the management of historical data.
However the guidance may not generally accepted and is being debated here and here, especially with regards to reversibility of the process and the use of salts when hashing, but Visa are seeking feedback on this first version, and have asked for responses by 31 August 2010 to be sent by email to inforisk@visa.com.
Posted on: 20 July 2010 at 10:57 hrs
Comments are filtered automatically and should appear shortly after they been checked.