The PCI SSC Tokenization Guidelines


The PCI SSC finally released their long-awaited Information Supplement: PCI DSS Tokenization Guidelines (PDF) last week. If what you read on the Internet is true, almost nobody's very happy about this document. But that's probably because the people who tend to comment on things on the Internet are typically upset, leading to lots of negative comments and very few positive ones. This particular document actually seems to be fairly well done. If there's any reason to complain about it, it might be because the document doens't quite seem to be aimed at its target audience.

As the document itself says,

This Information Supplement is intended for merchants that store, process, or transmit cardholder data and are seeking guidance on how implementing a tokenization solution may impact the scope of their compliance efforts with the (PCI DSS). Other payment industry stakeholders including payment processors, acquirers, service providers, assessors, and solution vendors may also find the information in this document useful.

But the content of the document really seems more like it's written at a level that QSAs and other specialists in protecting cardholder data will understand. It's probably a bit over the heads of most merchants.

But aside from that minor point, this document seems fairly good. The PCI SSC seemed to do a particularly good job of eliminating most of the vendor bias that crept into the earlier versions – the ones before the PCI SSC took over the operation of the working group that created this document. (Some of the negative comments that I've read essentially complain that a particular vendors definition of something or interpretation of something isn't reflected in this document.)

If the PCI SSC's future documents are as good as this one, it will probably make PCI DSS compliance much easier for merchants to understand, and that's probably a good thing.

Leave a Reply

Your email address will not be published. Required fields are marked *