We are pleased to announce the availability of our latest white paper: Tokenization Guidance: How to Reduce PCI Compliance Costs. It discusses the dos and don’ts of replacing credit card data with tokens, to improve security while reducing PCI DSS auditing costs. Our primary goal was to help merchants understand how to employ tokenization to reduce PCI scope, as well as the costs of Payment Card Industry Data Security Standard audits. When we read the PCI supplement on tokenization guidelines we were shocked that it failed to provide concrete answers to the target audience’s most-asked question: How can I reduce audit scope? It felt like the paper was designed to lull us to sleep – it would raise topics we were interested in, but then ramble on without answers.

But we are here to fix that, filling the gaps they left. This is the white paper the PCI Council should have written. The paper is the product of hundreds of hours of research and about a hundred phone calls to various merchants, payment processors, tokenization vendors, and qualified assessors. We make many controversial assertions but we stand by them – we have vetted the content through interviews in discussions with every expert we could reach. And we have subjected our analysis to open scrutiny by the payment community through our Totally Transparent Research process. We include an overview analysis for merchants and auditors, as well as a step by step guide which works through all the PCI DSS requirements which are directly affected when using tokens to replace primary account numbers.

We are very happy that Elavon, Liaison, Prime Factors, and Protegrity have sponsored this white paper! We could not spend the hours of research required for a project like this without help from sponsors, and we are grateful for their support.

You can get a copy of the paper from our sponsors, from our Research Library, or directly: TokenGuidance-Securosis-Final2.pdf

Index of Posts

  1. Tokenization Guidance (new series)
  2. Tokenization Guidance: PCI Supplement Highlights
  3. Tokenization Guidance: Merchant Advice
  4. Tokenization Guidance: Audit Advice