PCI DSS – Tokenization

The tokenization is really necessary on PCI DSS area ?

pci6The tokenization is or not a good solution for PCI DSS requirements ? I’m not sure to find on this technical solution a good way to reduce the scope but I’m sure to enforce the security of my PCI DSS Area…let’s go for more understand this.



Def. is a process by which the primary account number (PAN) is replaced with surrogate value called a “Token”.

  • The de-tokenization is the reverse process of redeeming a token for its associated PAN value.
  • The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.
  • Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS Requirements.

That’s clear for me, it’s only very nice about requirement 3.4 and reduce my risk…but for really reducing my initial scope is not the good way.

On the next points, I relate to the use of tokenization and its relationship to PCI DSS

  • Tokenization solutions do not eliminate the need for PCI DSS compliance.
  • Verifying the effectiveness of a tokenization implementation  includes confirming that PAN is not retrievable from any system component removed from scope.
  • Tokenization systems and processes are in scope for PCI DSS and must be protected with strong security controls and monitoring.
  • Tokens that can be used to retrieve PAN or that can be used to perform transactions (sometimes called high-values tokens) may have the same sensitive as a PAN, and could be in scope for PCI DSS.
  • Tokenization solutions can vary greatly across different implementations and merchants considering tokenization should perform a thorouhg evaluation and risk analysis to identify the unique characteristics of their implementation.

Thanks to PCI SSC for theses informations about Tokenization.

En joy PCI DSS 🙂