Remote tokenization is a process that replaces sensitive data with randomized values – without allowing the visible data to exist on your system. A third party handles the process for you, and the original data never touches your environment. In contrast, local tokenization occurs on your system, and you are responsible for storing and securing the original data.
Remote Tokenization vs. Local Tokenization
Remote tokenization provides complete isolation from your data processing systems. This makes it easier to comply with the credit card industry’s data protection requirements. It also reduces the risk of accidental exposure or unauthorized access – offering a higher level of protection for your customers’ data.
Both forms of tokenization provide higher protection than encryption, which is reversible – and therefore susceptible to brute force attacks. Even if a token were to be exposed in a breach, it would have no real-world value – and the corresponding card data would not be retrievable.
Remote Tokenization and PCI Compliance
As a merchant, you are required to complete an annual Payment Card Industry Self-Assessment Questionnaire (PCI SAQ). You’re required to submit this questionnaire to the individual card brands, as well as your acquirer.
There are eight different SAQs for merchants, ranging from the relatively short to the long and complex. The shortest versions are only applicable to merchants that outsource all of their cardholder data functions to a PCI-compliant third-party service provider. To qualify for these SAQs, there must be no electronic storage, processing, or transmission of any cardholder data on your systems or premises.
Because local tokenization allows original, non-tokenized data to stay your system, you cannot qualify for the shorter SAQs. Instead, you must complete one of the longer, more complicated questionnaires, such as the 329-question SAQ-D.
It’s important to note that tokenization – whether local or remote – is not a substitute for a completing an annual SAQ. The PCI Security Standards Council explains that “tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.” Instead, a tokenization platform – especially one that handles the tokenization process remotely – can help you qualify for a shorter, less resource-intensive SAQ.
Choosing a Tokenization Service Provider
PCI guidelines note that “tokenization solutions can vary greatly across different implementations, including differences in deployment models, tokenization and de-tokenization methods, technologies, and processes.” To this end, it’s important to ask prospective service providers:
- Whether they use local or remote tokenization methods
- Whether their tokens are reversible or non-reversible
- Whether their tokens are cryptographic or non-cryptographic
This can help you choose a tokenization service provider that offers the most appropriate solution for your security goals.
Learn More about Curbstone’s Tokenization Technologies
As a PCI-Validated Level 1 Service Provider, Curbstone is committed to providing the highest levels of security for payment card data. Our Reversible, Non-Cryptographic Remote Tokens let merchants keep credit card numbers, bank account numbers, security codes, and other sensitive data off their systems – while offering a secure way to process recurring, card-on-file payments.
To learn more about Curbstone Remote Tokenization, contact us today.
This article is provided for general informational purposes only and does not constitute legal advice. If you have questions about your specific compliance requirements, please consult with your PCI-certified Qualified Security Assessor (QSA).
