PCI Council’s New EMV Payment Token Rules Are Worth Reading Closely

The PCI Council in late December rolled out its security rules for token service providers for EMV payment tokens, which overwhelmingly deals with mobile transactions. Today, the card brands handle the vast majority of tokens issued, but the council expects that to sharply change now that EMVCo has released the specification. Given the importance of tokens to payment facilitators, it’s worth a read.

One of the fun things that this document does, in pure PCI Council fashion, is deliver more acronyms. Yes, these are brand acronyms. (No, no need to thank them.) One is TDE, for Token Data Environment. An important term—not an acronym yet, sadly—is Payment Token Data, which has a very specific definition: “Covers a number of discrete data elements, including the Payment Token and related data as defined in the EMV Payment Tokenisation Specification Technical Framework, which include the Payment Token Expiry Date, Payment Token Requestor ID, Payment Token Assurance Level and Payment Token Assurance Data.”

Here’s a comforting note. “Within the TDE, Payment Tokens must be secured in the same way as a PAN. (But) outside the TDE, Payment Tokens do not require protection and are not in scope for PCI DSS,” the document said. This is key, as it allows storage of the tokens outside of the token data environment to not interfere with compliance. That is quite helpful and—as it should—is quite different from PCI rules involving the PAN itself.

Several other items of note:

  • “Wireless environments are not permitted to be connected to the TDE.”
  • “Payment Tokens must also be masked when displayed such that only personnel with a legitimate business need can see the full Payment Token (PCI DSS Requirement 3.3), and rendered unreadable wherever they are stored (PCI DSS Requirement 3.4) in the TDE.”
  • “Access to Payment Token Data in the TDE must also be restricted according to principles of need-to-know and least privilege.”
  • The document has a specific requirement to “examine change documentation and interview personnel to verify that for each change to systems or networks” and that “sign-off by responsible personnel (as defined in TSP 8.2.3) was obtained and documented.”
  • Systems must be “configured to generate logs and alerts upon detection of clear-text PAN and/or Payment Tokens leaving the CDE/TDE via an unauthorized channel, method, or process.”\
  • “Firewall controls in PCI DSS Requirement 1 also apply to internal firewalls used to separate TDE from non-TDE networks.”
  • A bit of PCI Council kindness: “Where there is a legitimate, documented business or technical justification, it is permissible for system components in the TDE to also perform other functions.”
  • “The TDE must be on a dedicated network(s) that is separated by a firewall(s) from all non-TDE networks and any Internetconnected networks.” and “A virtual LAN (VLAN) is not considered a separate network segment. Where there is a legitimate, documented business or technical justification, it is permissible for non-TDE systems to be included within the same network as the TDE.”