In an effort to address an industry standard that has been noticeably lacking in recent years, the Payment Card Industry Security Standards Council has published guidelines regarding the use of tokenization technologies.
Token-based tools have been around for years by merchants and others in the payment card industry to protect sensitive information, such as credit card numbers, by concealing it with a non-sensitive token value. However, despite the growing popularity of the data security tool, no industry standard for implementing such solutions currently exists.
The PCI council noted that its PCI DSS Tokenization Guidelines Information Supplement does not create an industry standard for tokenization use, but explained that it does offer several best practices merchants can use to keep cardholder information safe.
The guidelines also attempt to define the areas in which specific attention is needed to minimize the threat of credit card data loss and identity theft.
"These specific guidelines provide a starting point for merchants when considering tokenization implementations," said PCI SSC general manager Bob Russo. "The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements."
The PCI SSC has been instrumental in helping businesses improve data protection practices and has attempted to stay on the forefront of new technological developments. For example, earlier this year, the council published new guidelines pertaining to virtualization protection, which has seen significant growth among enterprises and merchants alike in recent years. The guidelines, published in June, highlight best practices for several virtualization technologies, including hypervisors, virtual machines and virtual appliances.
Businesses that adhere to the PCI council's guidelines are generally better prepared to deal with data security challenges and avoid breaches. As a recent Ponemon and Imperva study found, nearly 64 percent of businesses that are PCI DSS compliant said they have not suffered a data breach involving credit card information in the last two years.