Assessing a Tokenization Environment

When performing audits, QSAs are expected to evaluate an entity’s processes for adhering to the Payment Card Industry Data Security Standards (PCI DSS). This can be a cumbersome, time-consuming task, and it requires a deep knowledge and understanding of various types of compliance strategies.

Often, businesses choose to meet PCI requirements by utilizing a combination of segmentation (to reduce PCI scope) and encryption (to secure data). However, tokenization has emerged as a more secure method of compliance that can both reduce the scope and protect data, providing an exciting alternative for companies looking to more efficiently and easily operate within PCI standards.

For QSAs, this means learning about the tokenization landscape, its myriad applications and the pros and cons of the platform itself. To aid in this process, we’ve put together several resources for QSAs looking to learn more about tokenization and what to keep in mind when auditing an environment.

One of the first considerations for a QSA is the tokenization provider. Assessors should determine where the tokenization is occurring – on-premise, at a third-party processor or in the cloud – and thoroughly analyze the benefits and drawbacks of each of these tokenization implementations.

Another step is to evaluate the type of tokens being used. High-value (persistent) tokens and low-value (single use) tokens operate differently, with high-value tokens being stored in the merchant’s cardholder data environment for repeated use. Both types can have various benefits and drawbacks in certain situations and should be considered in the context of the environment and use case.

Additionally, assessors should be aware of best practices, frequently asked questions and common mistakes to avoid when auditing tokenization providers and platforms. The more comfortable a QSA is with these concepts, the better he or she will be able to assess the strengths and weaknesses of a given system.

We will address these topics and more in our upcoming “Tokenization for QSAs” web seminar, and we will elaborate on them in our white paper about auditing tokenization. We encourage QSAs and other members of the data security industry to utilize these resources for additional information. Please contact us directly with any questions about TokenEx, our platform or how familiarity with tokenization can help your organization and your customers.

Topic(s): data security , tokenization