English   Deutsch   Русский   中文    

Your token to VISA...

Aug 04, 2010 by Sebastian Rohr

The recently published document on protecting credit card data during processing and storage with tokenization technology has gathered quite a bit of response (see for yourself http://usa.visa.com/download/merchants/tokenization_best_practices.pdf). As others like Mr. McMillon of RSA said before (http://www.rsa.com/blog/blog_entry.aspx?id=1687), it is an overall good approach - and my very recent experience with CC data processing in outsourcing environments proves to me that solutions for this are in great demand. Besides the "nit-picking" (please excuse, we are totally on the same page here!) about calling encrypted CC data a "token" (which it is NOT...), there are some issues about the general approach shown by VISA. First, it is absolutely positive to see any progress and innovation around securing payment methods and payment processing, either at the PoS or online (and there are nice solutions for both environments readily available in the market, such as nuBridges offering, for example). Second, it is advisable to contribute to standardization and commonly accepted methods - isn't it? Well, it looks like VISA - with all due respect for their effort to make this world a safer place! - has failed to get broad 3rd party support (such as e.g. funnelling this through the PCS DSS commitees or having it openly reviewed by experts) . It remains a mystery (at least to me) why VISA chose to spearhead this alone. The overall feedback received from experts around the world is a mixed bag of "well thought, but has major weaknesses". Thus, it is definitely worth a look if you have a need for securing CC data in your systems and guidance is needed on how to define certain aspects. On the other hand, it is advisable to compare the VISA best practices with what the "other" stakeholders such as Mastercard, Diners, Amex and the like may add or edit. From my personal perspective I applaud the advances made by this project but I clearly dislike the fact, that VISA did this on their own, effectively putting an extra burden on banks, merchants and all others dealing with CC data to harmonize with deviating requirements that may be published by other companies. I sincerely hope that the payment card industry does not fall into a "deny-all" mode but instead that a revised version with support from industry organizations such a the PCI DSS council is made public any time soon. Until then, I recommend reading, understanding and cross-checking the VISA best practices for tokenization with the extensive feedback already available from industry experts around the globe. The time for protecting CC data and other PII is definitely NOW, and good tokenization can help to reduce the leakage of such information!


Author info

Sebastian Rohr
Profile | All posts
KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
Things Security
IoT (Internet of Things) and Smart Manufacturing are part of the ongoing digital transformation of businesses. IoT is about connected things, Smart Manufacturing is about bridging the gap between the business processes and the production processes.
KuppingerCole Serivices
KuppingerCole offers clients a wide range of reports, consulting options and events enabling aimed at providing companies and organizations with a clear understanding of both technology and markets, enabling them to fine-tune their own strategies and projects avoid costly mistakes in choosing vendors and solutions.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole