Free Newsletter
Register for our Free Newsletters
Zones
Access Control
Alarms
Biometrics
Detection
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
Surveillance
View All
Other Carouselweb publications
 
 
 
 
 
 
 
 
News

Card Data Tokenisation Guidelines From Visa Europe

NuBridges : 16 July, 2010  (Technical Article)
nuBridges explains the Visa Europe industry best practices that the organisation has released for payment card data tokenisation
Visa Europe has announced global industry best practices for tokenisation to provide guidance to retailers, vendors, service providers and acquirers and to promote safer payment environments. Based on Visa Europe's experience working with the industry and also insights from data compromise investigations, these tokenisation best practices are the latest in a series of guidance documents from Visa Europe to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts.

Tokenisation is a process through which a card number is replaced by a proxy value. Merchants and processors that use tokens in accordance with best practices are able to limit PAN storage, significantly reducing the risk that sensitive cardholder data may be stolen by data thieves. By reducing the amount of vulnerable information that needs to be protected, merchants can simplify their payment systems and improve payment security.

"Within the Visa Europe market, we have seen significant interest in technologies which can eliminate or reduce the storage of cardholder data" said Stanley Skoglund, SVP of Payment System Risk, Visa Europe. "To support marketplace adoption of robust tokenisation solutions, Visa Europe has developed best practices to assist merchants and other stakeholders in evaluating these solutions." he added.

In November 2009, Visa Europe published the Visa Best Practices for Data Field Encryption for protecting cardholder information and limiting the clear-text availability of cardholder data and sensitive authentication data. As part of these best practices, Visa Europe recommended that retailers, processors and other entities consider using tokens to replace the card number for use in payment-related business purposes other than payment acceptance. While Vise Europe's data field encryption guidance focused on protecting card data in motion, Visa Europe's best practice for tokenisation provides guidance on the protection of stored card data when a retailer has a business need to reference card information for ancillary business processes.

"Tokenisation can truly mitigate corporate risk due to data security breaches while also helping to significantly reduce the scope and cost of PCI-DSS audits," said Gary Palgon, VP Product Management, tokenisation technology provider nuBridges. "Visa Europe's leadership on tokenisation best practices is a huge step toward industry-wide adoption and improved payment-related business processes."

Visa Europe's tokenisation best practices provides guidance on areas in which poor execution has been a problem in the past, including proper generation of tokens and the management of historical data. The best practices highlight four key components of effective tokenisation:

* Token generation - defines the process for how a token is generated.
* Token mapping - defines the process for associating a token to its original PAN value.
* Card data vault - defines the central repository of cardholder data that is used by the token mapping process.
* Cryptographic key management - defines the process for how cryptographic keys are managed and used to protect cardholder and account data.

Neira Jones, Head of Payment Security at Barclaycard Global Payment Acceptance said: "In our continuous effort to promote the use of risk mitigation technologies to the payment value chain, we welcome the release of the Visa Europe guidelines on tokenisation, as the industry's awareness of this technology is maturing. This important first step, ahead of expected PCI SSC guidelines this autumn, will definitely help organisations currently considering this technology better to plan for its adoption."

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com