Tokenization to Reduce PCI DSS Audit Scope

When you undergo a PCI DSS audit, all of the systems, applications and processes that have access to credit card information (unencrypted and encrypted) are considered "in scope." However, if you substitute tokens for the credit card information, and the systems, applications and processes never require access to the token's underlying value, then they are "out of scope" and do not need to be audited for PCI DSS compliance.

Because you can format tokens in any manner you wish, this enables you to, for example, render a customer service application and all of its processes as "out of scope." A typical customer service function answers billing questions and requires access to only the last four digits of a credit card number. If you format the token in this manner, and do not provide the customer service applications or people with any access to the token server, then the entire function is "out of scope." This offers significant financial and practical benefits to many organizations.

nuBridges Software Lets You Tokenize Card Numbers Yourself!

nuBridges Protect is a software product line that now offers a Token Manager module that intercepts the data you want to protect, generates format-preserving tokens and inserts them in place of the sensitive data. It then encrypts the original data and stores the cipher text in a central data vault. Tokens can be safely used by any application or database without risk of exposing sensitive data. When applications or databases require the clear-text value, they simply make a Web services call to the Token Manager and present the token. The Token Manager validates the request credentials and, if authorized, looks up the token in the data vault, identifies the appropriate cipher text, decrypts the value and presents it back to the database or application.