Tokenization is a data security technique that replaces sensitive payment card data with a non-sensitive substitute value called a token, which has no intrinsic or exploitable meaning or value. The actual sensitive data is securely stored separately and mapped to the token through a secure tokenization system. Tokenization reduces the scope of PCI DSS compliance by removing sensitive data from systems that do not require it.
Tokenization
Regulatory Definitions
- PCI-DSS v3.2.1 and v4.0 (Section 3.2.1 and Appendix B): Tokenization is recognized as a valid method for rendering Primary Account Numbers (PANs) unreadable anywhere it is stored. The token must not be able to be reverse-engineered or decrypted to reveal the original PAN, and the tokenization system itself may be out of scope for PCI DSS compliance if properly implemented by a qualified third-party service provider, provided the organization does not have access to the de-tokenization key.
- PCI-DSS Requirement 3.2 (Data Security): Organizations using tokenization must ensure tokens cannot be reversed to reveal the original PAN and maintain security controls over the tokenization process and token management systems.