PCI SSC reveals tokenization guidance

Merchants using address software have been warned that tokenization does not ensure compliance with Payment Card Industry Security Standards Council (PCI SSC) standards.

Tokenization replaces the data from the customer's card number with a token value, reducing a hacker's ability to steal card information.

While the PCI SSC says that this can be classed as compliance technology as it goes some way to helping meet acceptable standards, it is not enough for the system to be applied on its own.

In light of this, the PCI SSC has released a 23-page guidance document to help firms use tokenization and stay compliant.

"For a token to be considered out of scope, it has to be unusable if it, or any system it resides on, is compromised. That's the bottom line," explained Bob Russo, general manager of the PCI SSC.

Alex Fidgen, director of MWR InfoSecurity, recently suggested that technology for compliance can help firms to increase their consumer base.