Recent news coverage discusses a community meeting of the Payment Card Industry (PCI) Security Standards Council taking place this week in Orlando, Florida. Tokenization and end-to-end encryption feature prominently in the coverage, and that is not a surprise. There is a growing use of both technologies in many companies to secure credit card information as they seek compliance with PCI DSS requirements.
Encryption and tokenization are expected to be discussed despite the fact the council itself is not planning to include either of them in the new version of the PCI DSS standard, due out October 28.
For companies looking to comply with the standard, tokenization and encryption both offer merits but are not mutually exclusive. Given the nature of many of today’s large enterprises, security pros often decide to deploy both tokenization and encryption. A “layered” approach is best, especially as companies should strive to be secure first—and then achieve compliance as a “by-product of good security,” as Bob Russo, general manager of the council, puts it.
The flexibility, scalability and data type requirements relevant to securing a given system will dictate whether companies select tokenization and/or encryption as the ideal way to protect sensitive information. By applying the approach that makes sense to each of multiple scenarios, companies will enhance their overall security while aiding in their compliance efforts. The additional guidance on the use of end-to-end encryption and tokenization expected later this year comes none too soon. The market is already using these approaches, so the PCI SSC’s view of how they can aid compliance may at least help IT professionals and QSAs.