Tokenization: Everything you need to know

To combat credit card fraud and protect consumers, card brands like MasterCard, Visa, American Express, Discover and JCB established the PCI Security Standards Council which mandates a set of security standards for managing online payments.

What is PCI DSS?

The Payment Card Industry Data Security Standard, better known as PCI DSS, is a global security standard for the acceptance and processing of credit cards. As you may already know, ensuring compliance with PCI Data Security Standards can be a challenging task. This is especially the case if your payment systems employ a patchwork of different services from different vendors. Just because the services you use are PCI compliant does not mean your operations will be considered so. PCI covers your entire cardholder data environment which not only includes the way you process payments and manage customer data but also how you connect those systems.    According to the PCI Security Standards Council, PCI DSS: “covers technical and operational practices for system components included in or connected to environments with cardholder data.” It has 12 requirements designed to achieve 6 goals. These are outlined in the PCI Security Standards Council Reference Guide and copied below:


Do I need to be PCI compliant?

YES. If you process, store, or transmit credit card data, you’re required to comply with this set of standards.

Levels of PCI compliance

Each card brand has its own set of compliance levels. Depending on the level you fall into, you’ll need to adhere to a specific set of requirements. And you’ll need to ensure you are compliant with 100% of these requirements as failing even ONE element will result in non-compliance. To view the compliance levels set out by each card, see – VisaMastercardDiscoverAmerican Express, & JCB.
If you accept multiple card brands, there’s no need to panic. The major card companies have cooperated to make it easier. Visa, Mastercard, and Discover have the same criteria. If you also work with American Express or JCB in addition to these issuers, your merchant level will be the same as given to you by Visa, Mastercard, or Discover. Your compliance level will depend on the annual number of transactions.

PCI Compliance illustration

PCI Compliance Levels

PCI Compliance Level 1
Processing more than 6 million card transactions per year.

PCI Compliance Level 2
Processing 1 to 6 million card transactions per year.

PCI Compliance Level 3
Processing 20,000 to 1 million card transactions per year.

PCI Compliance Level 4
Processing less than 20,000 card transactions per year.

How much does PCI compliance cost?‍

There’s no clear-cut answer to this question. It depends on the current business structures you have in place, and whether or not they require significant changes to conform to PCI standards. Larger-scale merchants with complex payment infrastructures and more employees will find the costs associated with becoming compliant much higher than smaller merchants with limited operations.

If you’re a level 1 merchant with more than 6 million transactions per year, you’ll need to have an onsite data security assessment by a Qualified Security Assessor (QSA). You will also need to set aside a budget to conduct regular vulnerability scanning, penetration testing, staff security training, and have dedicated resources to pay for security policy development. If you fall into level 2 and 3, audits by an external security expert might be required as well as staff training, vulnerability, and penetration testing. You’ll also need to complete a Self-Assessment Questionnaire. Overall, the cost of compliance will always be lower than the cost of noncompliance. This is especially the case for larger merchants in a hyper-growth stage. Never mind the financial and reputational losses that stem from a data breach, you may be fined by card companies and lose the ability to accept credit cards altogether. That means your growth will come to an immediate halt. You may even risk going out of business!

What role does DSS tokenization play?

The PCI DSS requirements apply to all components that are in or connected to the cardholder data environment. This compromises of any person, process or technology that stores or transmits sensitive cardholder data. That’s a lot of elements to cover!
One way to reduce your scope is to avoid storing and transmitting cardholder data altogether. That means not having any unencrypted credit card numbers, CVV or CVV2 or PIN numbers in your systems. That’s where DSS tokenization comes in.

DSS tokenization Process

The Tokenization Process

DSS Tokenization helps to REDUCE not eliminate your scope. PCI Security Standards clearly state


Tokenization solutions do not eliminate the need to maintain and validate PCI DSS compliance, but they may simplify a merchant’s validation efforts by reducing the number of system components for which PCI DSS requirements apply.


Even if you’ve limited the existence of card details to the point of capture and the card data vault, ensured the data has no value to any potential criminal and made certain that adequate segregation exists between your platform and the card-holder data environment, you’ll still need to comply with the PCI standards.

Reduce your scope with ZOOZ’s universal tokens

ZOOZ offers several ways of collecting and tokenizing a user’s card details (javascript API, secure fields, token API), each requiring a different PCI scope. Universal tokens and PCI compliant token vault reduce your PCI compliance scope significantly by enabling you to avoid storing or transmitting raw credit card data in your systems. With reduced exposure to PCI data security compliance requirements, you’ll save on compliance costs and sleep better at night in the knowledge that your operations are airtight when it comes to compliance. You’ll also be able to offer your customers a more secure payments experience.