Haven the merchants that have moved forward, implemented some form of format preserving encryption to protect credit card data?
Griffin: I think in fact there is a significant divergence in the market. For example, for us at RSA, the first time we implemented tokenization was at Staples where they had done initial architecture work starting in 2004. They had made the decision not to use an encryption model for the protection of the PCI track and number information, but to use the tokenization model instead. Tokenization in that case is defined by the substitution model rather than by the transformation model. There is a significant divergence in the industry … divergence between the models in which transformation of the original value is used to create whatever the related value is and those approaches in which no such transformation is involved. It’s a way in which you simply map one value to another and use that mapped value as the token. I’ve been involved in the PCI DSS scoping committee working on tokenization and in that committee the fundamental issue has been how visible that distinction can and should
