Use tokenization to reinforce card data protection in transit payment systems

What are the requirements for card data protection ?

PCI DSS regulations have defined two kinds of card data to be protected:

  • Card holder data, in other words : PAN, Name of card holder, Expiry date and Service code


  • The Sensitive Authentication Data which are the  full magnetic stripe, encrypted PIN block and CVV.

Sensitive authentication data must never be stored in any form and should not be used in any system for any purpose other than payment.

All systems that handle card holder data are subject to PCI SCC regulations regardless of the systems ‘s tasks.

PCI PTS POI covers the payment readers whilst PCI DSS handles the entire system and all the systems connected to it.

In order to minimize the regulation’s effect, it is possible to convert the cardholder data in something else:

  • Encryption of card data
  • Conversion of card data to a token

For greater certainty, encryption or tokenization of card data for clearing and settlement are out of scope of this newsletter.

Focus on tokenization in transit environment

Indeed, the transformation of the card data in Card Number Alias or token enables to connect a card number to an individual card holder or an event.

This transformation is performed by cryptography computation.

The computation will always generate the same token for the same card if the same algorithm is used. This algorithm is a one way function, so, there’s no possibility to translate from a token to a card number.

The algorithm used to generate a token may be a DES key, for instance to create a unique salt value.

Thereafter, a hash value is calculated  over the salt value concatenated with the card number. The result of this operation is the card number token.

Except the transaction itself, what is a token useful for?

  • Tokenization enables to reduce the scope of annual PCI DSS assessment as no card holder data are in clear in the whole system
  • In open loop transit solution, the token of the card is used for fare calculation, by comparing the token between the tap in and the tap out
  • Fare inspection application computes token of the EMV card to be inspected and compare with the token present in the back office
  • Token makes the deny list update easier

More generally, tokenization reduces the attacks capability and protect the card holder from data theft.

What is Alcineo tokenization solution ?

In Alcineo’s tokenization solution, tokens are generated  in the PCI PTS POI certified card readers and they are unique per user, whether carrying a card or ewallet.

The token is not used to identify the card holder, it is just considered as a secure identifier carried out with the enciphered transaction data to the transport authority server.

This tokenization service is used to :

  • Enable the transit authority to collect and aggregate the transaction data related to each token
  • Identify the card holder by the payment processor in order to process the clearing of the transaction.

Alcineo’s tokenization solution follows the PCI PTS requirements.

Diagram card data tokenization in transit environment

To go further

PCI DSS : stands for Payment Card Industry Data Security Standards. The scope of PCI DSS includes any organization, people, system and component connected to the card holder data environment.

Visit PCI SSC website

PCI PTS POI is a standard that defines the logical and physical security requirements to which payment terminals must comply. Have a look at our previous article about PCI PTS POI 6.0. 

HMAC is a specific type of Message Authentication Code involving a Hash function and secret cryptographic key. 

SALT is a random data that is added to data before it is passed to a hash function.