PCI Says Most Tokens Won’t Reduce Scope

We’ve spent much of the last five years warning merchants about companies that claim to offer tokenization when what they really have is nothing more than a weak encryption scheme. We call these solutions “tokenization in name only,” or TINO for short, and they annoy us to no end. But we’re happy to announce that something is finally being done about them.

In a meeting we requested with PCI Council executives back in September, we learned that once PCI’s new tokenization standard takes effect (next fall, if all goes according to plan), merchants using these weak solutions will no longer qualify for PCI scope reductions.

It appears the Council has also finally realized that systems that always return the same token for a given card (one-to-one tokens) offer very little by way of security. Twice in the proposed new spec, the Council says that tokens that carry a one-to-one relationship with the original PAN may present risks to merchants. It makes sense; a token with a one-to-one relationship to the card almost always holds a mathematical relationship, which means it can be reversed. Worse yet, it doesn ’t even have to be reversed to be dangerous. If a one-to-one token works at Retailer A, and I know that Retailer B uses the same processor, then I can use A’s tokens to illicitly buy products at B’s store. The scariest part: because even these weak, bastardized tokens aren’t considered card data, Merchant A doesn’t have to report them as lost or stolen. Imagine the legal question then of which merchant is liable for the breach. It’s a mess.

As often repeated within Shift4’s walls, “if you’re going to use garbage like one-to-one tokens, you might as well just use the original PAN… and pray.” Fortunately for us, Shift4’s organically generated, random, alphanumeric TrueTokenization® meets all of PCI’s requirements for scope reduction. So, that’s the good news. The bad news is that while we generate a TrueToken® for every transaction we process, not all of our merchant customers are putting those TrueTokens to use!

So consider this your call to action. If you’re not using TrueTokenization, you’re already missing out on major security benefits and you will soon be missing out on the PCI scope reductions that will save you time and money on your assessments.

We understand that some of your POS/PMS manufacturers don’t support TrueTokenization, which limits your options a little bit, but we want to let you in on a little secret: If enough of you ask for it, they’ll write it into their next release. They answer to you, their loyal customers. So make your voice heard and let them know you want the scope-reducing benefits of TrueTokenization before the PCI tokenization guidelines are released next fall.

If you have questions about what you need to do to get TrueTokenization up and running in your environment, or if you’re not sure whether you have it or not, please email support@shift4.com.

Archived Comments

Chris Lautenbach wrote on 01/07/14 1:10 PM

That's great news! We were concerned about whether or not the new scope-reduction/tokenization rules would result in a whole new world of headaches. It's good to know that not only is Shift4 on the cutting edge of this type of solution -- but that the PCI Council is being reasonable.

Nathan Casper wrote on 01/07/14 1:24 PM

Reasonable is a relative term, Chris. But - considering it's PCI we're talking about - yes, we're pleased, too.