July 14, 2010

In an ongoing effort to eliminate or reduce sensitive card data from payment systems and simplify data security and compliance, Visa today announced global industry best practices for tokenization.

The best practices could be a means of guidance for merchants, vendors, service providers and acquirers to provide tokens - or proxy numbers replacing 16-digit credit card numbers - to reduce the threat of data theft. The best practices also address multi-use tokens, which could apply to processes such as fraud management, recurring payments and loyalty programs.

"Where properly implemented, tokenization may help simplify a merchant's payment card environment," said Eduardo Perez, Head of Global Payment System Security, Visa Inc. "However, we know from working with the industry and from forensics investigations, that there are some common implementation pitfalls that have contributed to data compromises. For example, entities have failed to monitor for malfunctions, anomalies and suspicious activity, allowing an intruder to manipulate the tokenization system undetected. As more merchants look at tokenization solutions, these best practices will provide guidance on how to implement those solutions effectively and highlight areas for particular vigilance."

By performing transactions through tokenization, a significant amount of vulnerable information could be kept from potential theft. Visa's best practices are available at www.visa.com/cisp.