Tokenization is set for higher profile under new PCI rules

The transaction security group will issue guidelines for the payment technology.

Thad Rueter

Tokenization, an emerging technology designed to the protect payment card data of online shoppers—and help shield web retailers from data leaks—is gaining increased attention this year from the group that maintains transaction security standards.

Proposals set to go before the PCI Security Standards Council in September will include non-binding guidelines for tokenization, a technology that converts card numbers into codes, called tokens, and which is gaining popularity among retailers, according to payment observers. The retailer retains those codes but keeps on hand no actual card data, which are kept by the retailer’s tokenization vendor.

About 30 vendors offer tokenization services, says Bob Russo, general manager of the PCI council.

Vendors handle tokenization in a variety of ways, with some, for instance, masking different parts of the card numbers than other vendors do. “There is no standard for tokenization yet,” Russo points out.

The guidelines will offer examples of different types of tokenization and how the technology is used, and offer a checklist-like format that will enable a retailer to know how close it is to compliance. Russo would not rule out an eventual PCI standard for tokenization. 

The PCI council manages the standards for protecting payment card account data in computer networks. The council was founded by payment card companies Visa Inc., MasterCard Worldwide Inc., American Express Co., Discover Financial Services and JCB International.


Bob Russo, payment security, PCI, PCI Security Standards Council, tokenization