The Demise of Vaulted Tokenization?
Tokenization is well known as one of the most dependable and important processes for securing cardholder information in financial transactions. In addition, tokenization protects other sensitive information such as companies’ employee data and public healthcare records. Using the KMES Series 3, the Guardian Series 3, and the Excrypt Touch, Futurex offers a robust vaultless tokenization service that allows merchants and other organizations to reduce their regulatory compliance scope, decrease costs, and enhance their overall security.
However, before vaultless tokenization became the norm, many cryptographic solutions involved (and some still involve) a process called vaulted tokenization. As vaultless tokenization gains traction, vaulted tokenization is becoming decreasingly common in financial cryptographic solutions. Vaulted tokenization is considered a less ideal solution than vaultless tokenization for organizations seeking a complete cryptographic infrastructure for several important reasons. This blog post will explain a little more about the difference between the two forms of tokenization, and why vaultless tokenization is becoming the industry standard in many regions of the world.
(For more of the basics of what tokenization is and how it works, be sure to check out our corresponding solution page, Vaultless Tokenization, or request to download our whitepaper.)
What is Tokenization?
Before we compare the types of tokenization, it’s important to understand what tokenization is. Tokenization is a method of protecting sensitive data, typically credit card numbers, by using randomly generated substitute characters as placeholder data. These random characters, known as tokens, have no intrinsic value, but they allow authorized users to retrieve the sensitive data when needed. Tokenization is a useful way to reduce compliance scope and simplify auditing for organizations charged with safeguarding information in accordance with mandated compliance standards such as Payment Card Industry Data Security Standards (PCI DSS).
To visualize the concept of tokenization, it can be useful to imagine a game of poker in a casino. While people in the casino are playing for money, during gameplay they use value-less chips to represent money. That way, anyone who pockets the chips on the table will have stolen nothing more than a piece of plastic. There is no inherent value to the chip. The same goes for tokenization. The cryptographic token takes the place of cardholder data, meaning that if a company’s payment system is hacked, thieves come away only with useless letters and numbers, not real, sensitive information. The valuable data is safely stored in a hardware security module outside of the payment system, awaiting decryption only when necessary through a process known as detokenization.
What is Vaulted Tokenization?
Vaulted tokenization is an early method of tokenization. In the vaulted tokenization model, detokenization requires a database that is queried with a token to retrieve the original data stored within. This requires large databases mapping tokens to their corresponding clear data. These databases are known as vaults. The retrieval and detokenization process for vaulted data takes extra time because of the required original token query to the database, creating a latency issue for large databases that require frequent detokenization processes. There are implementation, security, and compliance drawbacks to the vaulted tokenization model as well. Token vaults represent a single point of failure in tokenization infrastructures, and they also represent a high-risk target for theft since they contain clear cardholder data, which is also within the scope of PCI compliance. Furthermore, large token vaults often present complex implementation problems, particularly in distributed, worldwide deployments.
Why Switch to Vaultless Tokenization?
Vaultless tokenization allows organizations to reduce the scope and cost of regulatory compliance by vastly reducing, and completely eliminating in some cases, the presence of clear-text cardholder data from their processing infrastructure and storage environments. This is because vaultless tokenization eliminates the need for a vault or master token base by using a secure cryptographic device (such as Futurex’s Key Management Enterprise Server (KMES) Series 3) to generate tokens using standards-based algorithms.
In this model, data remains encrypted throughout the payment process, which potentially eliminates cleartext cardholder data from the merchant network entirely. The process of creating tokens can be fully automated, vastly reducing a company’s PCI compliance scope and associated costs.
For example, with vaultless tokenization, when a card is presented at a Point-of-Sale terminal, the PAN is immediately encrypted using Point-to-Point Encryption (P2PE). When the encrypted PAN makes its way to the HSM, it can be decrypted within the secure cryptographic device boundary, tokenized, and then processed through the card issuer using the tokenized data. Under this model, the combination of POS encryption and vaultless tokenization allows for secure transaction processes and storage of cardholder credentials for future use, without ever placing cardholder data in the clear. Data stored via vaultless tokenization also does not have to be replicated between data centers, which also eliminates the latency issue.
The proven success of tokenization has applications across multiple industries and sectors. It can be expected that a wide range of organizations, from healthcare providers to government agencies, will take advantage of the myriad of benefits of using the versatile and powerful vaultless tokenization technology.
Why Still Use Vaulted Tokenization?
There are still some financial corporations that rely on vaulted tokenization to secure their customers’ sensitive payment information, despite the drawbacks to the method. This is typically due to outdated regional legislation or issues in the wording of encryption laws. For example, local legislation may specify that all financial corporations must use “tokenization done in a vault” without realizing that they are eliminating those corporations’ ability to use a more secure, vaultless method.
For corporations in these regions that are concerned with the integrity of their tokenization process, it is often possible to get a variance granted in the law, or to petition for an exception. For example, if the company uses tokenization in a FIPS 140-2 Level 3 validated cryptographic module, their local government will often make an exception for them.
To learn more about vaultless tokenization, read our solutions page, Vaultless Tokenization, or request to download our whitepaper. Futurex offers a complete Hardened Enterprise Security Model for secure payment processes involving vaultless tokenization, available on-premises or in the cloud. For more in-depth information on our products or to create a custom solution for your organization, reach out to one of our Solutions Architects, available 24x7x365.