Today, the PCI SSC finally released tokenization guidelines. Nothing too surprising in the guidelines, but they did bring up several interesting points. One of my favorites is:
"When evaluating a tokenization system, it is important to consider all elements of the overall tokenization solution. These include the technologies and mechanisms used to capture cardholder data and how a transaction progresses through the merchant environment, including transmission to the processor/acquirer. The tokenization solution should also address potential attack vectors against each component and provide the ability to confirm with confidence that associated risks are addressed."
This is a VERY important component that I feel is not adequately addressed in the market right now. I think it's great processors are providing tokenization, but for a Merchant the question is, how do I address the credit card data within my environment? One key example is how do I get the processor the credit card data to begin with. Even within the Merchant environment's point of sale systems you see issues. I am excited to see developers starting to utilize these technologies. However, if the point of sale system is handling the tokenization process, then it is still within scope.
Tokenization, while simple in theory, presents many challenges to merchants and is a key reason why the PCI SSC Tokenization Guidance specifically says that tokenization "might" reduce your PCI scope. As always, be careful of the silver bullet in security and in this case the silver bullet in PCI scope reduction?