Visa has released global industry best practices for tokenization to provide guidance to merchants, vendors, service providers and acquirers and promote safer merchant payment environments.
Tokenization is the process through which a credit or debit card’s 16-digit primary account number (PAN) is replaced by proxy numbers. Merchants and processors that use tokens in accordance with best practices will be able to limit PAN storage, reduce the risk that sensitive cardholder data may be stolen by data thieves, said Visa.
Visa’s tokenization best practices provides guidance on areas in which poor execution has been a problem in the past, including proper generation of tokens and the management of historical data.
The best practices highlight four key components of effective tokenization, which include token generation; token mapping; card data vault; and cryptographic key management.
In October 2009, Visa published the Visa Best Practices for Data Field Encryption for protecting cardholder information and limiting the clear-text availability of cardholder data and sensitive authentication data.
As part of these best practices, Visa recommended that entities consider using tokens (such as a transaction ID or a surrogate value) to replace the PAN for use in payment-related business purposes other than payment acceptance. Visa has also provided best practices for PAN storage and truncation, including the use of tokens in lieu of full card numbers.
Eduardo Perez, head of global payment system security at Visa, said: “As more merchants look at tokenization solutions, these best practices will provide guidance on how to implement those solutions effectively and highlight areas for particular vigilance.
“Tokenization is intended as a complement to, rather than a replacement for, the Payment Card Industry Data Security Standard. While tokenization and encryption solutions can streamline a merchant’s environment, strong security layers are required to protect against data compromise.”