It's good to see that Visa is putting additional pressure for truncation and tokenization of card numbers. However, "PCI DSS solutions" in general cost money that the merchants and service providers in general don't want to spend. They make sense from a technical point of view, but they incur in costs that would eventually drive those organizations away from them. Now, just food for thought: what if the card brands (Visa, Mastercard, Amex) started to offer tokenization services in a cloud based way? The merchant could just use the service to get tokens directly from Visa, who would be responsible for storing the real numbers and providing merchant specific tokens through a web service. The concerns related to hosting that data to a third-party wouldn't be relevant on this scenario, as the brand already has all those numbers anyway. The brands also have their networks already in place, that could also be used for "token request" transactions for the organizations that have big pipes and gateways to those networks and don't want to create a dependency between their highly available payment systems and their Internet connection. Visa could also use it for additional fraud prevention services (although it could also generate privacy related issues), by correlating the last request for a specific number with the fraudulent payment authorizations using that card. It would also remove the operating and technology support costs from the tokenization solution from the end-user organizations, making it more attractive to be implemented. What do you think of it? Does it fly?