Are Tokenization And End-To-End Encryption Substitutes?
Written by Walter Conway
January 20th, 2010 - StorefrontBacktalk.com
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
If your goal is to limit your PCI scope, should you pursue tokenization or end-to-end encryption? Or should you do both? I find it interesting that many large (L1 and L2) merchants are actively pursuing both options, and I’m wondering if that really makes sense from either a PCI or an economic perspective.
Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.
Everybody wants to minimize their company’s PCI scope. When I look at scope issues, I generally classify systems into two broad areas. The first is the set of applications and network infrastructure in the payment transaction flow from the POS to the processor/acquirer and back. The second area of scope deals with post-transaction applications that use the data; for example, velocity checking/fraud systems, relationship management, delayed or split shipments, recurring payments, and chargeback and refund processing. (more)
January 20th, 2010 - StorefrontBacktalk.com
A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.
If your goal is to limit your PCI scope, should you pursue tokenization or end-to-end encryption? Or should you do both? I find it interesting that many large (L1 and L2) merchants are actively pursuing both options, and I’m wondering if that really makes sense from either a PCI or an economic perspective.
Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.
Everybody wants to minimize their company’s PCI scope. When I look at scope issues, I generally classify systems into two broad areas. The first is the set of applications and network infrastructure in the payment transaction flow from the POS to the processor/acquirer and back. The second area of scope deals with post-transaction applications that use the data; for example, velocity checking/fraud systems, relationship management, delayed or split shipments, recurring payments, and chargeback and refund processing. (more)
0 comments:
Post a Comment