Tokenization is one of the best ways that you can secure your cardholder data environment.  The basic idea is that you take sensitive information, such as a payment card account number (PAN) and simply remove it from your database, replacing it with an alternative value that serves as a placeholder for your use but lacks the extreme sensitivity of the original information.  After all, if you don’t have the information  in the first place, you can’t be the source of a stored data compromise!

In payment card systems, tokenization often takes place at the payment gateway.  When you process a credit card transaction, you send the transaction information to the gateway.  When the gateway returns the transaction confirmation, they provide you with the token value that you may store in your database.  For technical convenience, the token is normally formatted in the same manner as a credit card number.  That way, it fits neatly into database fields designed to store numbers without any modification.  For business convenience, the last four digits of the token value are usually the last four digits of the real card number, allowing you to reference transactions with customers by the last four digits of their card.

How does this help with PCI compliance?  It gives you a path toward easily meeting a couple of requirements.  First, PCI DSS requirement 3.3 requires that you:

“Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.”

Since the token only contains the last four digits of the PAN, there is simply no way that an application can accidentally violate this requirement.  The full PAN simply isn’t in the database!

Second, PCI DSS requirement 3.4 mandates that you:

“Render PAN unreadable anywhere it is stored (including on portable digital media, backup media and in logs) by using any of the following approaches…”

It then goes on to name four methods that you can achieve this goal, including the use of truncation — which is, in effect, what you are doing by tokenizing card numbers.

Finally, as we pointed out in the answer to an Ask the PCI DSS Guru question, tokenization obviates the need for the key management procedures required by PCI DSS sections 3.5 and 3.6.

Remember, of course, that tokenization is not a cure-all.  If you’re still processing and transmitting card numbers to your payment gateway, you still run the risk of those processes becoming compromised and being the source of a breach of payment card information.  You may wish to consider adding the use of Point-to-Point Encryption (PTPE) to prevent credit card numbers from entering your system in the first place!