Yankee Group: The Promise and Perils of Tokenization

A Get Out of PCI DSS Jail Free Card?

The Payment Card Industry Data Security Standard (PCI DSS), a set of security best practices defined by the credit card industry and focused on protecting cardholder data, was created in response to a steady stream of break-ins that compromised large amounts of cardholder data. Underlying these breaches was a change in tactics by the bad guys. The payments industry had improved the security of the merchant-to-bank link (e.g., by encrypting communications between the PoS terminal and the bank), so the bad guys looked for an easier approach. They tried attacking the merchants directly, and it worked. According to Verizon’s 2009 Data Breach Investigations Report, the 90 breaches that made up Verizon’s 2008 caseload accounted for 285 million compromised records. These are just the breaches Verizon was working on; the total number of lost records was much larger. To keep up, the payments industry needed to expand its security efforts to include merchants.

Merchants and their banks are mandated by the card companies to adhere to PCI DSS. Compliance is determined by recurring assessments; failure to comply can result in penalties including fines or the revocation of card processing privileges. As firms scrambled to meet the terms of PCI DSS, they invested heavily—the National Retail Federation estimates that as of June 2009, its members had spent more than $1 billion on PCI DSS compliance. As a result, there are now hundreds of solutions across dozens of categories, all of which claim to address one aspect or another of PCI DSS. While much of this activity has simply been an attempt to give old solutions new life, some of it is more interesting. Perhaps most interesting is a data security approach called tokenization.

Keywords

token, tokenization, credit card, security, compliance

Pages
Publish Date & Author(s)

by Ted Julian, Principal Analyst, and Nick Holland, Senior Analyst
6 pages
August 2010