The cross-reference for the credit card to match that value is only maintained on one server. Meanwhile, anywhere the token is sent does not have to be subject to PCI requirements as it does not use the actual credit card data.
Hollis acknowledges that the second step – destroy and descope – is a source of tension as businesses want to retain customers' details for future sales. Online sellers usually issue cookies on the first transaction so they can recognise a computer, and as they have the data, make the following transactions easier.
"That's the problem," he says. "How long do you need to keep my credit card details if I buy something from you?"
This warrants some searching questions, and a recognition of the risks involved in hanging on to the data.
Hollis says that companies need to ask: "Why are you keeping that credit card data? The more credit cards you have on a database the more you become a target for hackers, and are those people really going to buy from you again, and is it that much of an inconvenience?
"Everybody wants to have it, and nobody understands the responsibility that goes with it."
He makes it clear that nothing is guaranteed by complying the framework: it's for risk management, not elimination, and it's possible that a business could take all of the 288 steps and still suffer a breach. But if a company winds up in court because of data being stolen, it can show that it applied due diligence by following the framework.
His message to small and midsized businesses to is recognise the sensitivity of credit card data, that it is a valuable commodity to cyber criminals, and that they have a responsibility to protect it.
"Look at the business, understand the responsibility, and be ready to accept the responsibility and the liability," he says.
Richard Hollis will be speaking on the PCI standards at the eCrime Wales Summit on 27 March.
Sign up to receive daily breaking news, reviews, opinion, analysis, deals and more from the world of tech.