When tokenizing credit card information, does it make sense tokenize every credit card attribute in order to be PCI compliant?
Question
For example, if credit card has the following attributes:
- First Name
- Last Name
- Credit Card Number
- CVV
- Expiration
Is tokenizing just the Credit Card Number enough to be PCI compliant?
Correspondingly, if tokenizing ACH details and the details include:
- ACH Routing
- ACH Bank Name
- ACH Account Number
Is tokenizing just the Account Number enough to be PCI compliant?
Or, is every attribute required to have its own token such that the number of tokens necessary to be PCI compliant equal to the number of attributes.
1 answers
solution1
0 2020-03-31 23:37:51
ACH is not part of PCI compliance (PCI stands for payment card industry) and it has its own set of rules you must follow ( see NACHA compliance ).
The point of tokenizing is to hide all of the credit card information from everyone except those who need access to it. The token is then used to represent the card in your system.
What you probably mean in encryption . Firstly, you shouldn't be storing credit card information and, if you require doing so, you should be using a third party to do so. Many payment gateways and services offer this ability and removes most of the PCI compliance burden, and risk, from you. But if you choose to store this data locally, PCI outlines what encryption you may use and what must be encrypted:
- Primary Account Number
- Cardholder Name (if stored with the account number)
- Expiration Date (if stored with the account number)
You also may not store CVV numbers under any circumstances.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.