Tokenisation: Five things CIOs need to know

If you set up a tokenisation server on your network, you're still storing the data

It beats encryption. Encryption leaves your data vulnerable if thieves steal the key. Tokenisation replaces protected data with a digital placeholder that applications use just as they would real Social Security or credit card numbers. But if you're hacked, the data is useless to criminals. "Any business storing card numbers today should be looking at tokenisation," says Lucas Zaichkowsky, a senior compliance technologist with Mercury Payment Systems.

Tokens can look like your legacy data. One of the good things about tokenisation is that you can be flexible in how you create your tokens. They can have the same data structure as the credit card or Social Security numbers you're already storing, making it easier to reprogram your legacy applications to handle tokens. And there's a pretty good chance you'll end up using both tokenisation and your legacy systems in combination at first.

For some, it reduces your pci compliance burden. Another of the great benefits of tokenisation is that if you set it up using an outside vendor and are not storing card data, you can skip the very long PCI Self-Assessment Questionnaire D in favor of the smaller and easier-to-complete Questionnaire C. However, if you set up a tokenisation server on your network, you're still storing the data, so you still have to fill out the longer compliance questionnaire.

It's tricky to deploy. If you switch from credit card numbers to tokens, you may find unexpected places where those credit card numbers are used. If you're issuing a new token every time someone hands over a credit card number, for example, that could mess up your fraud-detection systems. You'll need to map out all applications using this data beforehand. But even after you do this, don't expect to be able to move every system to tokens immediately.

Payment options vary. How do you want to pay for tokenisation? Akamai offers a service that prevents Web users from ever entering their credit card numbers into a merchant's system. They charge a flat rate. You can probably get tokenisation as a service for about 10 cents per transaction from a payment-processing vendor, but that could lock you in to their system. You can manage your own tokenisation servers, but some vendors charge per record.

Read more about data management in CIO's Data Management Drilldown.

Tags: data breaches, applications, PCI compliance, security, software, encryption, tokenization, Data management
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Risk Management Solutions

Protect resources and ensure security compliance through incident detection, response, and remediation.

more »

Submit your own security event

Submit your training courses

Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.

Read More
more »