Will Tokenisation Kill PCI DSS Compliance?June 2, 2015
The Payment Card Industry Data Security Standard (PCI DSS) was introduced at the end of 2004 with the intention to add an extra layer of security and protection for card issuers by ensuring that the minimum levels of security were met by card issuers when storing, processing and transmitting their cardholder data.
The Standard was meant to provide a “robust payment card data security process — including prevention, detection and appropriate reaction to security incidents” (PCI Security Standards Council)
Recently, however, an increasingly number of people are starting to point out that PCI DSS is not as robust as it should be, with many believing it doesn’t tackle the root cause of the problem, i.e. the need for security; the storage of data and additional personal information and protection from hackers.
Despite a new version of the PCI DSS standard being introduced this year, which is designed to introduce new levels of security protection for consumers, it appears the systems is not resulting in as secure a system as hoped.
Recent research from Verizon, global leader in innovative communications and technology solutions, has shown that businesses are not fulfilling their compliance obligations, with approximately only one quarter of businesses being fully compliant within one year after receiving validation.
The report also showed approximately 80% of businesses failed their interim security assessment. Not the biggest sign of confidence for consumers!
So, what’s changing in the payments world and how might it affect consumers?
The simplest way to explain tokenisation is to think of it as something like a casino chip – where the chip is actually something of low value, yet it can represent a high amount of cash.
Tokenisation is not, in itself a new technology, but recently it has started being used more and more to ensure the transfer of highly sensitive customer data, such as credit card Personal Account Numbers (PAN), is secure. This is especially being seen in the mobile payments industry.
Tokenisation itself involves the substitution of real customer (i.e. card) data with a proxy set of identifying information, usually a unique, randomly generated arrangement of numbers, and/ or alphanumeric characters. The length of the random sequence is normally exactly the same as the original PAN, and can be reversed back to the original number provided the correct decryption keys are used.
This system means that retailers do not have to deal or interact with this data, so their customers’ sensitive, private information is therefore a lot less exposed. Tokenisation also acts as a deterrent to data thieves, who will find there’s no point stealing the token, since they will not be able to decrypt it without the correct decryption key.
Even though merchants are not dealing with or storing the actual PAN, it does not affect their ability to handle normal transactions or even refunds. This system also results in payments being made faster and a lot easier, which, of course, is of real benefit to both the customer and the merchant involved in the transaction.
As far as customers are concerned, they need not do anything different to what they would usually do when paying with their debit or credit card. A token is automatically issued when their card is swiped in a terminal or data passed through a transaction online.
Of course tokenisation works extremely well with mobile payments, which is great news for tech giants such as Apple or Google who are introducing their e-wallets and want to reassure customers that they are safe to use.
Tokenisation plays a key role in providing customers with this reassurance, for it has, so far, proven to keep consumer data extremely safe, as well as enabling new types of fraud be identified. It is therefore no wonder that people are starting to claim tokenisation will kill off PCI DSS, a system that has seen many data breaches over the years, causing many a merchants’ livelihood to be threatened, as well as causing customers much financial grief.
We shall have to wait and see what the future really holds for PCI DSS but with the popularity of tokenisation taking off with customers and merchants, it will, most surely, impact the Standard.