Tokenization
Tokenization is a data protection technique that replaces sensitive data (e.g., card numbers) with random tokens that have no value outside the system. Original data is stored in a secure vault, and the token is used in business processes.
What is Tokenization?
Tokenization Definition
Tokenization is a data protection technique that replaces sensitive data with random, unique identifiers called tokens. A token has no mathematical relationship to the original data - the mapping is stored in a secure system (token vault).
How Does Tokenization Work?
- Sensitive data (e.g., 4111 1111 1111 1111) goes to tokenization system
- System generates token (e.g., TKN-8472-XKPL-92BF)
- Mapping stored in secured vault
- Token used in applications instead of data
- Detokenization only by authorized systems
Tokenization vs Encryption
| Aspect | Tokenization | Encryption |
|---|---|---|
| Mathematical relationship | None | Exists (algorithm) |
| Output format | Can preserve format | Changes format |
| Reversibility | Only via vault | Via key |
| Compliance scope | Token out of scope | Encrypted data in scope |
| Performance | Vault lookup | Cryptographic operation |
Tokenization Types
Vault-based:
- Token mapped in central database
- High security level
- Vault dependency
Vaultless (Format-Preserving):
- Algorithm generates deterministic token
- Preserves format (16-digit number)
- No central vault
Tokenization Applications
Payments:
- Credit card numbers
- Tokens in Apple Pay, Google Pay
- PCI DSS scope reduction
Healthcare:
- PHI (Protected Health Information)
- Patient numbers
- HIPAA compliance
PII:
- Social security numbers
- Email addresses
- Phone numbers
Tokenization and PCI DSS
Tokenization is key for PCI DSS scope reduction:
- Environment with tokens doesn’t store card data
- Only token vault subject to full PCI DSS
- Drastic compliance cost reduction
Tokenization Benefits
- Compliance: Regulatory scope reduction
- Breach impact: Token is worthless to attacker
- Data minimization: Fewer locations with sensitive data
- Usability: Token can preserve format for compatibility
Tokenization Challenges
- Token vault: Single point of failure
- Performance: Latency during de/tokenization
- Data analytics: Difficult analysis on tokens
- Integration: Requires application changes
Payment Tokenization
Modern payment systems extensively use tokenization:
- Card-on-file: Merchant stores token, not card number
- Mobile payments: Phone generates one-time token
- E-commerce: Tokenization at checkout
Tokenization is one of the most effective sensitive data protection techniques, particularly valuable in payments and compliance contexts.