Tym recently asked the PCI DSS guru:

“If I have tokenized some credit cards with my current gateway provider and I now want to move to new gateway provider. How can I get the credit card data from current gateway provider and give it to the new gateway provider, making sure the chosen way is PCI compliant?”

As you’re probably aware, Tym, tokenization is the process of replacing credit card numbers with a non-sensitive unique identifier.  This process, performed by your payment gateway, provides you with a value (or token) that you can store without running afoul of PCI DSS requirements.  For more information on tokenization, read What is Tokenization?

In your case, you’re looking to reverse the tokenization process and obtain the real credit card numbers.  You’ve already realized that you can’t do this on your own, as there is no way to compute the card number from the token that the gateway provided you.  Before you go about trying to obtain that information from your gateway, I’d ask you to consider whether you really need the actual card numbers for past transactions?  If you’re attempting to migrate recurring credit card transactions, this may be the case.  If you’re only worried about managing those transactions, perhaps your current gateway would be willing to continue to process refunds on your behalf after you migrate new transactions to another provider?

If you do need to obtain the actual card numbers and the gateway is both willing and able to provide them to you, you will need a secure means to transmit them.  This actually is not very complicated, as you aren’t trying to design a permanent, recurring process. You just need to complete a one-time transfer of sensitive cardholder information.  The easiest way to do this is by asking the gateway to store them in a file and then use strong encryption to protect that file.  For example, you might use WinZip to create an AES-encrypted file.

You’ll need to use a strong password to encrypt the file and then exchange that password in an out-of-band fashion.  This is as simple as authenticating yourself to the gateway’s technical team over the telephone and then agreeing on the document password over the phone.  Since the file is encrypted, they may then simply email it to you without worrying about the document’s security.  Once you receive it, you may decrypt it using the agreed-upon password.

Remember that the credit card numbers you receive are subject to all of the protection requirements of PCI DSS.  You’ll need to make sure that they are appropriately encrypted and that you have proper management over the encryption keys for as long as you retain the card numbers.  My advice would be to use them quickly for the conversion and then destroy any copies as soon as you are done.