Retail Technology
| Log in | Subscribe
Subscribe | Log in
Retail Technology
Subscribe

Part of broader European strategy to help merchants eliminate card data and streamline security

Part of broader European strategy to help merchants eliminate card data and streamline security

 

Visa Europe today announced global industry best practices for tokenisation to provide guidance to retailers, vendors, service providers and acquirers and to promote safer payment environments.

 

Based on Visa Europe’s experience working with the industry and also insights from data compromise investigations, these tokenisation best practices are the latest in a series of guidance documents from the payments giant to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts, like the Payment Card Industry Data Security Standards (PCI DSS).

 

Tokenisation is a process through which a card number is replaced by a proxy value. Visa said merchants and processors that use tokens in accordance with best practices are able to limit processing area network (PAN) storage, significantly reducing the risk that sensitive cardholder data may be stolen by data thieves. By reducing the amount of vulnerable information that needs to be protected, merchants can simplify their payment systems and improve payment security.

 

Confirming market demand

 

“Within the Visa Europe market, we have seen significant interest in technologies which can eliminate or reduce the storage of cardholder data,” said Stanley Skoglund, Visa Europe senior vice president of payment system risk. “To support marketplace adoption of robust tokenisation solutions, Visa Europe has developed best practices to assist merchants and other stakeholders in evaluating these solutions.”

 

In November 2009, Visa Europe published the Visa Best Practices for Data Field Encryption for protecting cardholder information and limiting the clear-text availability of cardholder data and sensitive authentication data. As part of these best practices, Visa Europe recommended that retailers, processors and other entities consider using tokens to replace the card number for use in payment-related business purposes other than payment acceptance. While Visa Europe’s data field encryption guidance focused on protecting card data in motion, Visa Europe’s best practice for tokenisation provides guidance on the protection of stored card data when a retailer has a business need to reference card information for ancillary business processes.

 

“Tokenisation can truly mitigate corporate risk due to data security breaches while also helping to significantly reduce the scope and cost of PCI DSS audits,” said Gary Palgon, vice president of product management for tokenisation technology provider, nuBridges. “Visa Europe’s leadership on tokenisation best practices is a huge step toward industry wide adoption and improved payment-related business processes.”

 

Focusing on problem areas

 

Visa Europe’s tokenisation best practices provides guidance on areas in which poor execution has been a problem in the past, including proper generation of tokens and the management of historical data.

 

The best practices highlight four key components of effective tokenisation, including token generation, which defines the process for how a token is generated; token mapping, which defines the process for associating a token to its original PAN value; card data vault, which denotes the central repository of cardholder data that is used by the token mapping process; and cryptographic key management, which defines the process for how cryptographic keys are managed and used to protect cardholder and account data.

 

Neira Jones, head of payment security at Barclaycard Global Payment Acceptance, said: “In our continuous effort to promote the use of risk mitigation technologies to the payment value chain, we welcome the release of the Visa Europe guidelines on tokenisation, as the industry’s awareness of this technology is maturing. This important first step, ahead of expected PCI SSC [Security Standards Council] guidelines this autumn, will definitely help organisations currently considering this technology better to plan for its adoption.”

 

Visa’s Best Practices for Tokenisation and Data Field Encryption can be viewed online.