Tokenization is known as the practice of replacing the sensitive data in discussion,
in our case – the PAN (Primary Account Number; usually 16 digits written on the face of the card) with another unique identifier which is not considered as sensitive.
Most tokenization products have two features that allow robustness and the ability to work in a cross platform environment.
PCI DSS is comprised of more than 200 requirements. Each and every requirement applies to each and every component that is included within the cardholder data environment. The math is simple – the more robust and complex your network AND the more you distribute credit card information among your IT systems and through network components, the more you grow in scope of PCI DSS audit.
Try to do everything in your hands and reduce the business need to save credit card data, you can do it if you live by the motto “if you don’t need it don’t save it”. Another way is to create network segmentation and to isolate the card holder data in separated, controlled and monitored environments.
The truthful answer is NO.
That said, there are many best practices methods that allow a structured approach for a successful PCI DSS project and a successful audit. For instance, don’t go out on a shopping frenzy of sexy technologies.
First, form an educated work plan to point exactly which technologies you need to support your business needs. DLP, NAC, SIEM/SOC, IDM, electronic vaults and more sounds really cool to have but they are not always necessary for meeting PCI DSS requirements, despite what some enthusiastic vendors might claim. All of these are excellent products to have and are very much needed in order to keep up a good security practice going on, but the choice whether to implement those or not shouldn’t be only about PCI DSS but should derive from the organizational unified information security policies and business goals.
When facing with a compliancy project and organization may sometimes find itself at a lost. The lost feeling might be intensified when getting unclear deadlines and requirements by the local acquiring banks. However, not all challenges for meeting compliancy are external.
Firstly, most large corporations to include Banks, Retail chains, Telco companies, Insurance companies, eCommerce companies or any other merchant that deals with credit card information has a large cardholder data environment. This is mostly due to the fact that most organizations grew as time went by and so did their IT systems and applications. Therefore, it is not uncommon to find an organization that has web servers that inputs credit card information, internal database servers that store them, data warehouse application that stores and processes them, reporting applications that store and process them, clearing applications that transmit them, and antifraud applications that process and transmit them and so on.