 |
| Image via CrunchBase |
December 13, 2011 08:00 AM Eastern Time
White Paper by Securosis Now Available from Prime Factors
EUGENE, Ore.--()--Prime Factors, Inc., has released an informative white paper that explains how tokenization reduces the cost of PCI compliance and provides guidance the PCI Council failed to provide in its guidelines for tokenization.
“For a set of guidelines, the supplement is sorely lacking in actual guidance.”
Prime Factors sponsored the white paper, authored by Adrian Lane of the data security analyst firm Securosis. Titled, “Tokenization Guidance: How to reduce PCI compliance costs,” it is available as a free download on the Prime Factors website.
In August, the PCI task force published an “Information Supplement” commonly known as the ‘Tokenization Guidance’ document. It discussed dos and don’ts of using token surrogates for credit card data. Tokenizing payment data holds the promise of improving security while reducing auditing costs, and generating great demand amongst the merchant community.
However, the task force did not answer the central question: how does tokenization reduce PCI compliance? Nor did it adequately address any of the key points raised in the publication’s introduction. According to Lane, “For a set of guidelines, the supplement is sorely lacking in actual guidance.” Even the section on ‘Maximizing PCI DSS Scope Reduction’ is a collection of broad generalizations on security rather than practical advice or definitive statements on scope.”
The Securosis white paper, which addresses concerns left dangling by the PCI Council, is the result of dozens of interviews, hundreds of hours of research and a deep dive into deployment, auditing and scope reduction concerns that people have regarding tokens. Recommendations have been vetted with Qualified Security Assessors (QSAs) to ensure the advice holds up to PCI requirements with minimal friction during the assessment process.
The white paper provides real guidance for evaluating tokenization and clarifies how to benefit from it. This is in the form of concrete, actionable steps for merchants deploying tokenization, with checklists for auditors reviewing tokenization systems. It fills gaps in the PCI supplement, pokes at the topics they found politically unpalatable to discuss, and specifies what readers can reasonably omit from the scope of their assessment.
Lane’s research will be featured in a webinar sponsored by Prime Factors on January 17th. Sign up for the free webinar at this link. For more information, go to www.securosis.com and www.primefactors.com.
