Visa Releases Global Best Practices for Card Data Tokenization

July 14, 2010 at 8:03 AM EDT
Part of broader Visa strategy to help merchants eliminate card data, shrink payment environment and streamline security


Visa Inc. (NYSE: V) today announced global industry best practices for tokenization to provide guidance to merchants, vendors, service providers and acquirers and promote safer merchant payment environments. Based on Visa's experience working with the industry and also insights from data compromise investigations, the tokenization best practices are the latest in a series of guidance to help merchants reduce or eliminate sensitive card data from payment systems and simplify data security and compliance efforts.

Tokenization is the process through which a credit or debit card's 16-digit primary account number (PAN) is replaced by proxy numbers. Merchants and processors that use tokens in accordance with best practices are able to limit PAN storage, significantly reducing the risk that sensitive cardholder data may be stolen by data thieves. Visa has provided a type of single-use token for many years; transaction IDs are provided in place of card numbers for every transaction processed by VisaNet, so merchants may utilize it for settlement and other ancillary processes with the support of their processors. The best practices also address multi-use tokens, which can be used for more complicated purposes such as fraud management, recurring or subscription payments, and merchant loyalty programs.

"Where properly implemented, tokenization may help simplify a merchant's payment card environment," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "However, we know from working with the industry and from forensics investigations, that there are some common implementation pitfalls that have contributed to data compromises. For example, entities have failed to monitor for malfunctions, anomalies and suspicious activity, allowing an intruder to manipulate the tokenization system undetected. As more merchants look at tokenization solutions, these best practices will provide guidance on how to implement those solutions effectively and highlight areas for particular vigilance," he added.

The best practices are part of Visa's broader effort to provide guidance and recommendations to help merchants and the industry better manage security and compliance. By reducing the amount of vulnerable information that needs to be protected, merchants can simplify their payment systems and improve payment security. In October 2009, Visa published the Visa Best Practices for Data Field Encryption for protecting cardholder information and limiting the clear-text availability of cardholder data and sensitive authentication data. As part of these best practices, Visa recommended that entities consider using tokens (such as a transaction ID or a surrogate value) to replace the PAN for use in payment-related business purposes other than payment acceptance. Feedback from the industry about the encryption best practices highlighted a demand for more detailed guidance on tokenization. Visa has also provided best practices for PAN storage and truncation, including the use of tokens in lieu of full card numbers. Visa's Best Practices for Tokenization, Data Field Encryption, and PAN Storage and Truncation may be found online at

"Tokenization is one more element in a merchant's anti-fraud and PCI compliance toolkit. Particularly valuable for card-not-present and recurring payment applications, tokenization also retains the merchant's ability to perform marketing and fraud analytics while getting card number data off the merchant's systems and easing some of their Payment Card Industry Data Security Standards obligations," said George Peabody, Director, Emerging Technologies at Mercator Advisory Group.

Visa's tokenization best practices provides guidance on areas in which poor execution has been a problem in the past, including proper generation of tokens and the management of historical data. The best practices highlight four key components of effective tokenization:

  • Token generation - defines the process for how a token is generated.
  • Token mapping - defines the process for associating a token to its original PAN value.
  • Card data vault - defines the central repository of cardholder data that is used by the token mapping process.
  • Cryptographic key management - defines the process for how cryptographic keys are managed and used to protect cardholder and account data.

Perez also noted that other sensitive authentication data such as full contents of the magnetic strip, CVV2, PIN and PIN block should never be stored after the authorization for any reason. "Tokenization is intended as a complement to, rather than a replacement for, the Payment Card Industry Data Security Standard," he said. "While tokenization and encryption solutions can streamline a merchant's environment, strong security layers are required to protect against data compromise."

About Visa Inc.: Visa Inc. is a global payments technology company that connects consumers, businesses, financial institutions and governments in more than 200 countries and territories to fast, secure and reliable digital currency. Underpinning digital currency is one of the world's most advanced processing networks--VisaNet--that is capable of handling more than 10,000 transactions a second, with fraud protection for consumers and guaranteed payment for merchants. Visa is not a bank, and does not issue cards, extend credit or set rates and fees for consumers. Visa's innovations, however, enable its financial institution customers to offer consumers more choices: Pay now with debit, ahead of time with prepaid or later with credit products. For more information, visit

SOURCE: Visa Inc.

CRC Public Relations for Visa Inc.
Steve Burke, +1 703-683-5004, ext. 108