Organizations storing credit card numbers and other sensitive data have important security responsibilities, including strict compliance requirements under PCI DSS.
What is Tokenization?
Tokenization is a method of protecting sensitive data, typically credit card numbers, by using randomly generated substitute characters as placeholder data. These random characters, known as tokens, have no intrinsic value, but they allow authorized users to retrieve the sensitive data when needed. If tokenized data is lost or stolen, it is useless to cybercriminals. Furthermore, for organizations charged with safeguarding information in accordance with mandated compliance standards such as Payment Card Industry Data Security Standards (PCI DSS), it can serve as a useful way to reduce compliance scope and simplify auditing.
What is Vaultless Tokenization?
Futurex offers an advanced method of tokenization known as vaultless tokenization. Legacy methods of “vaulted” tokenization require maintaining databases with tokens and their corresponding clear data. These token vaults represent a high-risk target for theft. Furthermore, large token vaults often present complex implementation problems, particularly in distributed, worldwide deployments.
Vaultless tokenization is safer and more efficient. Futurex’s primary tokenization platform, the Key Management Enterprise Server (KMES) Series 3, uses a FIPS 140-2 Level 3 compliant Secure Cryptographic Device to tokenize data. This data can then be detokenized, returning the appropriate portion of clear data, for use by authorized parties or applications. In this model, there is no token vault or centralized token database to maintain.
Supports Tokenization for Personally Identifiable Information (PII)
In addition to supporting credit card, or primary account number (PAN) tokenization, Futurex also supports personally identifiable information (PII) tokenization. PII tokenization is applicable
Reduced PCI DSS Compliance Scope and Cost
Tokenization is a secret weapon for organizations with heavy compliance burdens. Financial institutions, for instance, are often responsible for securing millions of account holder credentials in data infrastructures that are subject to PCI DSS regulations. Tokenizing as much data as possible allows these organizations to ease their compliance burdens, as tokens are not generally within the scope of audits.
Format-Preserving Encryption Eliminates Database Changes
Futurex vaultless tokenization uses a method of format preserving encryption that retains the format of the original text if desired. This allows tokenization to be easily implemented without changes to database structure or application formatting. For example, an untokenized 16 character PAN would be tokenized as 16 random numeric characters.
On-Premises or Cloud-Based Deployment Models
The KMES Series 3 is Futurex’s most robust tokenization platform. It is FIPS 140-2 Level 3 and PCI HSM 2.x compliant and is equipped with a variety of features for customized output and detokenization. The VirtuCrypt Hardened Enterprise Security Cloud, powered by Futurex hardware, offers a Tokenization-as-a-Service platform for organizations preferring the cloud over on-premises hardware.
Benefits of Vaultless Tokenization
- Reduced PCI DSS compliance scope and cost
- Significantly enhanced security over token vaults
- Vastly smaller storage footprint of sensitive data
- Reduced costs and resources associated with maintaining compliance
- Format-preserving encryption (FPE) allows tokenization to be deployed without requiring database architecture changes
- All accomplished without sacrificing security or efficiency
Organizations not using tokenization who store cardholder data are within the full scope of a PCI DSS audit. All databases and applications storing clear-text PAN data must be audited.
Using Vaultless Tokenization
Using vaultless tokenization, clear cardholder data is tokenized before storage, which allows organizations to consolidate their compliance scope into a much smaller footprint.
Customized, Role-Specific Detokenization
The information security principle of least privilege dictates that organizations limit access to sensitive data to solely what an individual needs to do their job. Any additional access is an unnecessary exposure of sensitive data. Intelligence agencies have operated under this principle of “need to know access” for years. This reduces the risk of data breaches of both the accidental and intentional varieties. Customizing detokenization output based on user or application role is one way to accomplish this.
With the customization options available in the KMES Series 3, administrators can control exactly how much detokenized data any one employee or application is able to view. For example, loyalty applications may find a partially detokenized account number, perhaps just the last four digits of a credit card number, sufficient to do their job, while an e-commerce application would likely require a fully detokenized account number for repeat purchases. Still other applications, like business analytics, may be able to use the token itself as an identifier without any need to ever detokenize it. Futurex’s vaultless tokenization allows these options to be customized for all parties and managed from a central location.
Devices for Tokenization
KMES Series 3
Hardened, enterprise-class key and certificate lifecycle management solutions
- Full symmetric and asymmetric key and certificate management
- Robust, versatile API for programmatic automation of repetitive tasks
- Easy, convenient generation of certificate trees
- Permission-based user management system with dual control
- Customized monitoring and alerting
Guardian Series 3
Empower your administrators with centralized management, redundancy, device status monitoring, and more
- Central management for Futurex devices
- Comprehensive load distribution and automated failover
- User-defined grouping for devices
- Intuitive visual and logical user interface
- Customized notifications, alerts, and status reports
Compliantly and securely load keys and perform device configuration from anywhere in the world
- Easily manage your worldwide data encryption presence from a single location
- Capable of configuring multiple devices
- Eliminates the manual process of transferring key components
- Provides detailed audit records
- FIPS 140-2 Level 3-compliant