English   Deutsch   Русский   中文    

Your token to VISA...

Aug 04, 2010 by Sebastian Rohr

The recently published document on protecting credit card data during processing and storage with tokenization technology has gathered quite a bit of response (see for yourself http://usa.visa.com/download/merchants/tokenization_best_practices.pdf). As others like Mr. McMillon of RSA said before (http://www.rsa.com/blog/blog_entry.aspx?id=1687), it is an overall good approach - and my very recent experience with CC data processing in outsourcing environments proves to me that solutions for this are in great demand. Besides the "nit-picking" (please excuse, we are totally on the same page here!) about calling encrypted CC data a "token" (which it is NOT...), there are some issues about the general approach shown by VISA. First, it is absolutely positive to see any progress and innovation around securing payment methods and payment processing, either at the PoS or online (and there are nice solutions for both environments readily available in the market, such as nuBridges offering, for example). Second, it is advisable to contribute to standardization and commonly accepted methods - isn't it? Well, it looks like VISA - with all due respect for their effort to make this world a safer place! - has failed to get broad 3rd party support (such as e.g. funnelling this through the PCS DSS commitees or having it openly reviewed by experts) . It remains a mystery (at least to me) why VISA chose to spearhead this alone. The overall feedback received from experts around the world is a mixed bag of "well thought, but has major weaknesses". Thus, it is definitely worth a look if you have a need for securing CC data in your systems and guidance is needed on how to define certain aspects. On the other hand, it is advisable to compare the VISA best practices with what the "other" stakeholders such as Mastercard, Diners, Amex and the like may add or edit. From my personal perspective I applaud the advances made by this project but I clearly dislike the fact, that VISA did this on their own, effectively putting an extra burden on banks, merchants and all others dealing with CC data to harmonize with deviating requirements that may be published by other companies. I sincerely hope that the payment card industry does not fall into a "deny-all" mode but instead that a revised version with support from industry organizations such a the PCI DSS council is made public any time soon. Until then, I recommend reading, understanding and cross-checking the VISA best practices for tokenization with the extensive feedback already available from industry experts around the globe. The time for protecting CC data and other PII is definitely NOW, and good tokenization can help to reduce the leakage of such information!


Author info

Sebastian Rohr
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Customer-Centric Identity Management
As more and more traditional services move online as part of the digital transformation trend, consumer-centric identity management is becoming increasingly vital business success factor. Customers aren’t just physical persons, they are also the devices used by customers, they are also intermediate organisations and systems which operate together to enable the provisioning of the service.
KC EXTEND shows how the integration of new external partners and clients in your IAM can be done while at the same time the support of the operational business is ensured.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2016 KuppingerCole