Tokenization is well known as one of the most dependable and important processes for securing cardholder information in financial transactions. In addition, tokenization protects other sensitive data such as employee information and public healthcare records. Using the KMES Series 3, the Guardian Series 3, and the Excrypt Touch, Futurex offers a robust vaultless tokenization service. It’s perfect for merchants and other organizations who need to reduce their regulatory compliance scope, decrease costs, and enhance their overall security.
The demise of vault tokenization?
However, before vaultless tokenization became the norm, many cryptographic solutions involved (and some still involve) a process called “vault” or “vaulted” tokenization. As vaultless tokenization gains traction, vault tokenization is becoming less and less common in financial cryptographic solutions. Vault tokenization is considered a less ideal solution than vaultless tokenization for organizations seeking a complete cryptographic infrastructure for several important reasons. This blog post will explain a little more about the difference between the two forms of tokenization, and why vaultless tokenization is becoming the industry standard in many regions of the world.
(For more of the basics of what tokenization is and how it works, be sure to check out our corresponding solution page, Vaultless Tokenization, or request to download our whitepaper.)
What exactly is Tokenization?
Tokenization refers to a procedure where sensitive data is transformed into randomized strings of characters known as “tokens”. Tokenization helps secure sensitive information, such as personally identifiable information (PII) or payment data. During tokenization, the alphanumeric values in the original data are cryptographically substituted with unrelated characters that match length and format. These indecipherable tokens can be retrieved from an external storage system. Traditionally, initial information was stored securely within a “token vault,” which comprises a secure server and database. Unlike encrypted data, tokenized data is irreversibly non-transparent. The types of tokenization involve vault and vaultless tokenization.
Use cases for tokenization
Tokenization is a great way to protect sensitive data like credit card details by using randomly generated substitute characters as placeholder data. These random characters, known as tokens, have no intrinsic value, but they allow authorized users to retrieve the sensitive data when needed.
Tokenization is a useful way to reduce compliance scope and simplify auditing for organizations charged with safeguarding information in accordance with mandated compliance standards such as Payment Card Industry Data Security Standards (PCI DSS).
A visual analogy
To visualize the concept of tokenization, it can be useful to imagine a game of poker in a casino. While people in the casino are playing for money, during gameplay they use value-less chips to represent money. That way, anyone who illicitly pockets chips from the table will have stolen nothing more than a piece of plastic. There is no inherent value to the chip.
The same goes for tokenization. The cryptographic token takes the place of the credit card number, meaning that if a company’s payment system is hacked, thieves come away only with useless letters and numbers, not real, sensitive information. The newly tokenized data is safely stored in a hardware security module (HSM) outside of the payment system, awaiting decryption only when necessary through a process known as detokenization.
What is Vault Tokenization?
Vault tokenization is the older method of tokenization. In the vault tokenization model, detokenization requires a database that is queried with a token to retrieve the original data stored within. This requires large databases mapping tokens to their corresponding clear data. These databases are known as token vaults.
Retrieving and detokenizing vaulted data takes extra time because of the need to query vault database for the corresponding token. Predictably, this creates latency issues for large databases supporting frequent queries.
There are implementation, security, and compliance drawbacks to the vault tokenization model as well. Token vaults represent a single point of failure in tokenization infrastructures. They are a high-risk target for theft since they contain highly sensitive data in the clear. Possessing clear data brings you within the scope of PCI DSS compliance, which could be avoided otherwise. Furthermore, large token vaults often present complex implementation problems, particularly in distributed, worldwide deployments.
Why Switch to Vaultless Tokenization?
Vaultless tokenization allows organizations to easily meet international regulatory compliance obligations. How? By reducing or even eliminating the presence of clear-text cardholder data from their processing infrastructure and storage environments.
Vaultless tokenization eliminates the need for a token vault or vault database. The vaultless tokenization process involves secure cryptographic devices (such as Futurex’s Key Management Enterprise Server (KMES) Series 3) to generate tokens using standards-based algorithms and encryption keys.
In this model, sensitive data remains encrypted throughout the payment process, which potentially eliminates cleartext cardholder data from the merchant network entirely. The process of creating tokens can be fully automated.
For example, with vaultless tokenization, when a card is presented at a Point-of-Sale terminal, the primary account number (PAN) is immediately encrypted using Point-to-Point Encryption (P2PE). When the encrypted PAN is sent from the POS terminal to the secure cryptographic devices on the backend, it is decrypted within the devices’ secure boundary, tokenized, and then processed through the card issuer using the tokenized data.
Under this model, the combination of POS encryption and vaultless tokenization allows for secure transaction processes and storage of credit card details for future use, without ever placing cardholder data in the clear. Sensitive data stored via vaultless tokenization also does not have to be replicated between data centers, resulting in reduced latency.
The proven success of tokenization has applications across multiple industries and sectors. It can be expected that a wide range of organizations, from healthcare providers to government agencies, will take advantage of the myriad of benefits of using the versatile and powerful vaultless tokenization technology.
Why Still Use Vault Tokenization?
There are still some financial corporations that rely on vault tokenization to secure their customers’ sensitive payment information, despite the drawbacks to the method. This is typically due to outdated regional legislation or issues in the wording of encryption laws. For example, local legislation may specify that all financial corporations must use “tokenization done in a vault database” without realizing that they are eliminating those corporations’ ability to use a more secure, vaultless method.
For corporations in these regions that are concerned with the integrity of their tokenization process, it is often possible to get a variance granted in the law, or to petition for an exception. For example, if the company uses tokenization in a FIPS 140-2 Level 3 validated cryptographic module, their local government will often make an exception for them.
To learn more about vaultless tokenization, read our solutions page, Vaultless Tokenization, or request to download our whitepaper. Futurex offers a complete Hardened Enterprise Security Model for secure payment processes involving vaultless tokenization, available on-premises or in the cloud. For more in-depth information on our products or to create a custom solution for your organization, reach out to one of our Solutions Architects, available 24x7x365.