Last week, I offered some suggestions about how you can save money and reduce risk by using one of several solutions to replace cardholder data with proxy numbers or "tokens." I received enough positive feedback to justify writing a bit more on the topic. In addition, in about a dozen conversations with merchants who want to join the PCI Knowledge Base, the topic has come up as a way to reduce the number of systems in the cardholder environment and, by extension, the scope and cost of the PCI assessment. Here's some things I've heard from merchants since last week:

• Nearly 1/3 of the merchants dismissed the concept of tokenization because they consider their environment to be too complex, with card data in so many places. The other, related reason for the quick dismissal is they see their card data as very "dynamic"—being used by many different applications and service providers. These merchants said that at best tokenization is a long term solution for them. When I pointed out that they were likely spending much more to implement and maintain multiple encryption and incompatible key management systems, most noted that these systems are now considered "sunk costs" by management. These security managers would clearly like to remove the risk from their environment, but they see the decision as out of their hands.
• Slightly over one third are seriously considering substituting token or proxy numbers for card data, and other types of data as well. One of the security executives I spoke with, who manages the infrastructure for a large public university said that they are actually looking at tokenization more for social security numbers than for credit card numbers. His point was that they had passed their assessment by using a combination of data encryption and compensating controls, and felt this was good for another 2-3 years, but they actually had many more social security numbers in their system from current and former students, and that these numbers were in systems not currently encrypted and with comparatively weaker access controls, vis-á-vis their credit card data. He said that they see tokenization as the fastest way to substantially reduce their risk to this data. He also said that this data is "just sitting there"—again raising the issue of the "flow" of data and the interdependencies among systems as a gating factor tokenization of card data.
  
  
• The final 1/3 of the folks we talked with were somewhat familiar with tokenization, and were aware of at least 2 of the 3 vendors I mentioned last time (Shift4, MerchantLink and EPX). For these merchants, which included companies in the hospitality industry, the specialty retail sector, and a couple of mid-level general merchandise retailers, they see their major vulnerabilities as being "from the POS inward". Two of these merchants are looking to switch out their POS systems over the next two years, and consider this the ideal time to implement tokenization. The primary driver is cost reduction, with risk reduction coming in a close second.

You can help—I'm trying to get one or two merchants to go "on the record" and talk about how they are using tokenization. I've not had much luck so far. If your organization is using or considering implementing tokenization, send me an email at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

P.S. Top 10 reasons you should join the PCI Knowledge Base:

• At no cost, you'll be able to anonymously benchmark your PCI program against others
• You can get advice from our Panel of Experts, including Certified PCI Assessors.
• You can download charts and statistics to help build your case for PCI purchases.
• You can read about how other merchants are using cost-cutting technologies, such as multi-function security appliances and server virtualization.
• You can find out what your peers think of their security vendors and PCI assessors
• You can search the PCI Knowledge Base for best practices and lessons learned
• You can find out how others are using Compensating Controls
• You can learn about the impact of Tokenization (card # proxies) to limit PCI audit scope
• You can use the Knowledge Base to identify leading Assessor, Vendors and Products who deliver PCI enabling solutions.
• You can anonymously share what you have learned with others in our PCI Forum.

  ---