Frequently Asked Question

PCI SSC has published a number of documents and supporting FAQs that are each intended for a specific type(s) of tokens.  An overview of the documents and the applicability is provided below.

• Additional Security Requirements and Assessment Procedures for Token Service Providers (EMV Payment Tokens) (2015): An additional standard intended for entities designated by EMVCo as Token Service Providers for Payment Tokens.  These requirements apply in addition to PCI DSS for the protection of the environment where the Token Service Provider performs tokenization services (token data environment). Assessment and validation against these requirements may be required by payment brands for registered Token Service Providers 

• Tokenization Product Security Guidelines (2015): Technical best practices for the development of tokenization solutions for acquiring tokens. The Tokenization Product Security Guidelines are intended as guidance only; there is no program or validation associated with the guidelines. 

• PCI DSS Information Supplement: PCI DSS Tokenization Guidelines (2011):  General guidance on the use of acquiring tokens in the payment industry. These guidelines provide a high-level introduction to tokenization concepts and security considerations, and do not define any technical specifications or implementation requirements. This document is intended as general guidance only.

For more information about types of tokens used in the payment industry, refer to What is the difference between 'acquiring tokens', 'issuer tokens', and 'Payment Tokens'?