Passwords must die.

At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation

For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.

One thing gaining traction in PCI DSS is the notion of tokenization, which uses a unique identifier instead of the credit card data after its first use in an authorized transaction.  Afterwards, the actual card data is stored in a centralized, highly secure server called a “vault” and a token is used in its place.  This approach removes the actual card data from the applications and systems when it isn’t needed and reduces the amount of Cardholder Data Environment (CDE) that’s in scope for PCI. This, in turn, makes it easier to manage and meet PCI compliance!

Why?  Because if a system, application or host doesn’t actually store or process card data—remember, they’re using a token instead—then it may not be in scope for the PCI environment.  This may significantly reduce what “things” are parts of the PCI environment.  Another advantage of PCI tokenization is if an attacker compromises the system and obtains this token,  it isn’t card data, thereby, reducing the impact of a data breach.