What is Tokenization? How does it work?

More often than not, organizations utilize encryption to protect data-at-rest. While encryption is a valid method of protecting data, there are others, like tokenization. Tokenization is the process of converting plaintext into a token value which does not reveal the sensitive data being tokenized. The token is of the same length and format as the plaintext, and that plaintext and token are stored in a secure token vault, if one is in use. One of the reasons tokenization is not used, however, is due to the process resulting in an undecipherable and irreversible token. Tokenization can be irreversible if a vaultless tokenization method is used.

Tokenization Terminology

A token is data having no meaning or relation to the original sensitive data. A token acts as a place holder for the plaintext, allowing data to be used in a database without revealing the information it protects. Tokens are unique to each value and are random strings of information. If vaultless tokenization is in use, then there is no mathematical relationship between the token and the sensitive data, thus the tokenization process is irreversible and undecipherable. If a vault is used, then the process of detokenization is possible.

Detokenization is the process of reversing tokenization. Detokenization is only possible if a token vault is being used in the tokenization process. With a token vault, the token and plaintext data are related to each other, so that the sensitive data can be returned to a privileged user. Token vaults tend to be encrypted as well, to provide maximum security. In this way, the data will be useless to anyone who steals the information stored in the token vault.

Tokenization Uses

Tokenization has many different uses, benefitting any organization with sensitive data. Though this is true, tokenization is primarily used in the Payment Card Industry (PCI). Tokenization provides protection for credit card information, social security numbers, bank account information, and more in the Payment Card Industry. The PCI uses tokenization over encryption methods due to the simplicity of implementing tokenization, and the cost-efficiency of tokenization compared to other sensitive data protection methods. Another reason tokenization is used in the PCI is for meeting compliance standards.

PCI DSS Compliance

The Payment Card Industry Data Security Standards, or PCI DSS, require retailers dealing with credit card information to store their data somewhere other than on their Point of Sales (POS) systems. PCI DSS is required for every business, thus every business searches for the most cost-efficient and proven way to comply. The Payment Card Industry Security Standards Council (PCI SSC), which enforces the PCI DSS, released guidelines on using tokenization to comply with PCI DSS. Tokenization is a much better choice, as opposed to encryption, as encryption can be expensive and time consuming to be set up end-to-end.

Benefits of Tokenization

Tokenization has many benefits to its use, including the level of difficulty attackers face when attempting to steal tokenized information. Since sensitive data that is tokenized without a token vault cannot be reversed, then this form of tokenization is completely safe from attackers. Even if the data is stolen, it cannot be reverted to back to its normal form, so it is useless to attackers. If the tokenization is done with a token vault, it is still extremely difficult for hackers to steal the information. Though the tokens are related to their plaintext, the data in the token vault still tends to be encrypted as well, just as a secondary precaution.

Another benefit to tokenization is its ability to work well with legacy systems. Even if an application and database have been created and in use for years or even decades, the information secured therein can be tokenized without the need to reinvent, or recreate, the application. Tokenization also uses less resources than encryption does, and has less of a chance of failure, compared to other data masking methods.