Frequently Asked Questions

< Back to search page

To whom do the PCI Token Service Provider Security Requirements apply?

FAQ Response

The PCI Token Service Provider (TSP) Security Requirements are intended for entities that have registered with EMVCo as a Token Service Provider for Payment Tokens.  The PCI TSP Security Requirements cover Payment Tokens as defined by EMVCo, and do not address acquiring tokens or other types of tokens. While entities that provide services for acquiring tokens (for example, by tokenizing PAN after it is received from the cardholder during a transaction) may choose to implement the PCI TSP Security Requirements, they are not required to do so.

Entities that are registered as Token Service Providers by EMVCo should confirm their compliance and validation requirements with the applicable payment brand(s).

For more information, refer to the PCI TSP Security Requirements and Frequently Asked Questions for PCI TSP Security Requirements in the PCI SSC Document Library.

April 2016
Article Number 1383