The Payment Card Industry Security Council recently released the PCI DSS tokenization guidelines clarifying how tokenization affects PCI compliance and securing cardholde data. I sat down the Christian Janoff, Cisco retail industry architect whose team has just finished work on the Cisco Design Guide for PCI DSS 2.0 to talk about his views about this guideline.
Christian’s view of the new tokenization guideline supplement are:
- It is a good document as tokenization is subject of a lot of discussions on whether it de-scopes the network from PCI compliance.
- If tokenization simplifies the merchant’s environment and does not add complexity, it is a good thing just like any other solution approach to compliance.
- Everyone breached to date was not PCI compliant at the time of the breach. Simplifying the environment makes maintaining PCI compliance easier.
- Tokenization can reduce complexity in the mechant’s environment in the way they store cardholder data and putting tokens in the application.
- Tokenization does have complexity in its own way. Mechants still have to isolate and protect the tokenization system via segmentation. Cisco’s approach to compliance is segmentation by isolating systems and protecting them. Cisco supports both segmentation and tokenization as approaches to compliance.
- Tokenization and segmentation is not exclusive, it is not an either/or proposition.
- Qualified Security Assessor at the end of the day makes the assessment on security and compliance in the merchant’s environment, vendors like Cisco provides guidance on compliance.
Cisco is a sponsor of the upcoming PCI North America Community Meeting on September 20-22 in Scottsdale, AZ and we look forward to meeting everyone there. We will also be conducting a charity auction at the event of art pieces from the Cisco Art of Compliance benefiting Retail Orphan Initiative
To learn more about Cisco PCI solution for PCI DSS 2.0, please visit us on the web at http://www.cisco.com/go/pci2