As you may already know, the Payment Card Industry Data Security Standard (PCI DSS) was recently reviewed and updated to version 3.1. What didn’t change from the PCI DSS 3.0 to PCI DSS 3.1 is the main idea underneath it: every organization that stores, processes or transmits cardholder data is required to protect their customers’ details as much as their credit card data.


Due to the increase of threats and exploitations in recent years, many organizations have chosen to use tokenization as a methodology to make it more difficult for attackers to access their data.

Not only does tokenization create more obstacles for hackers and malicious users who try to break into their systems but it also simplifies the process of achieve and maintain PCI compliance. It does this by cutting down the number of controls required by the PCI SSC requirements to become PCI compliant and to control the security status.

What is tokenization according to the Payment Card Industry?

According to the PCI Council tokenization is:

“..a process by which the primary account number (PAN) is replaced with a surrogate value called a token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.”

As mentioned, we are dealing with an increasing number of requests for tokenization solutions due to a growing number of risks. This is why the PCI SSC has recently published new technical guidelines that are meant to support the process of evaluating tokenization products.

When we talk about tokenization solutions and products we should think of any type of software and hardware that is built by security experts to support organisations to keep their customers’ data and credit card information protected.

Who is this document for?

These guidelines are for developers, vendors and evaluators, organizations that intend to design and develop tokenization solutions and all of the entities that are currently using or are planning to use these types of products in the future.

This document is a good read for many stakeholders involved in the tokenization products industry for various reasons:

  • Solution or product vendors
  • Organizations wishing to develop their own solution
  • Organizations wishing to procure products and solutions
  • Organizations wishing to use products to reduce the presence of cardholder data in their environment
  • Independent evaluators of products

Key points of this document

The PCI Council stresses the fact that developing good tokenization products is a process based on a robust process that goes through designing, building, testing and deploying products that can help achieve compliance in accordance with the PCI Data Security Standard and reduce the size and complexity of the cardholder data environment (CDE).

The evaluation of tokenization products is the most technical aspect into discussion; diving deep into the mechanisms in place to capture cardholder data and analyzing how transactions happen within a particular environment. Payments can happen in various ways, and these guidelines apply to any type of device that allows credit card data to move around.

For instance, if we look at the case of a POS device (point-of-sale), it is key to control how the data proceeds from it “to the authorization endpoint, how tokens are retained for use (e.g. in back office systems) and so on.”

Is each component of the product safe? Is the product able to confirm the mitigation of risks associated to each component?

A token is used to replace a PAN with a surrogate value and the goal is to reduce the risk of unauthorized disclosure the PAN itself. The PCI SCC security guidelines show the various types of tokenization processes, as they are intended by the PCI DSS, to support different types of tokens that can be grouped into two main categories:

  • Reversible
    • Cryptographic
    • Non-cryptographic
  • Irreversible
    • Authenticable
    • Non-authenticable


The document then continues on into each one of these categories and outlines the security domains for tokenization solutions and products, which are:

  • General Guidelines
  • Token Generation
  • Token Mapping
  • Card Data Vault
  • Cryptographic Key Management

Develop products for PCI DSS with the right support.

Here at Advantio our team is able to support anyone who wants to achieve and maintain PCI Compliance. Our experts are QSAs (Qualified Security Assessors) and we are specialized in Secure Software Development Life Cycle (SSDLC), following the creation of applications from the requirement phase to its deployment.

Any organisation that wants to develop, test and deploy tokenization products should be flanked by security experts with the right knowledge. Your customers’ details, credit card data and privacy are under the spotlight together with the reputation of your business. This is why you must stay vigilant and make sure that you prevent issues from happening.

Get in touch with us for a free consultation.

Igor Mancini

Written by Igor Mancini

Marketing Director at Advantio. The articles published in the Advantio Blog have the goal of supporting our mission: making IT Security simple for everyone.

My intention is to discuss IT Security related topics with the eyes of a non technical person, speaking a simple language and trying to show to the readers the benefit of IT Security best practices.