Cybersecurity is an ever-changing landscape, where new technologies come and go at lightning speed. But one solution has stayed strong for over two decades: tokenization.
Invented 21 years ago, tokenization continues to be one of the best methods to outsmart hackers and protect sensitive information stored online. In fact, the global tokenization market is estimated to increase at a compound annual growth rate (CAGR) of 21.5% over the next five years.
This increase in demand shows just how important data security has become, especially in terms of customer trust and loyalty. The increased rise of data breaches exposing unsecured or “clear-text” Personally Identifiable Information (PII), Protected Health Information (PHI), and financial information has raised serious questions about how consumer data is handled. Breaches bring liability, legal action, and millions in fines, while eroding consumer trust and damaging the corporate brand.
With 63% of consumers indicating that an organization’s data collection and storage practices are the most important factor when they share sensitive information with the organization, installing defensive data breach measures, like tokenization, is critical.
There are several technologies available to tokenize data so that if a breach occurs, hackers get nothing of value. Here we take a deeper dive into tokenization and how it works, the types of data it can protect, the types of tokenization available, and how tokenization can work for online data.
The origins of tokenization
TrustCommerce was the first company to formulate the concept of tokenization in 2001. When their client needed a way to reduce the risks of storing cardholder data, they created something called TC Citadel — the first iteration of what we now know as data tokenization. This first iteration allowed for safe and secure payment transactions without the need to store cardholder data on their servers.
The solution proved to be extremely secure, since it ensured hackers would only receive indecipherable strings instead of valuable payment information. Major credit and debit card companies have since adopted this method, which has become an industry norm in the Ecmmerce landscape.
What is tokenization?
Tokenization is the process of removing sensitive information from your internal system — where it’s vulnerable to hackers — and replacing it with a one-of-a-kind token that is unreadable, even if hackers manage to breach your systems. The token is usually a random sequence of numbers or letters that the organization’s internal systems can use at little risk while the original data is held securely in a token vault.
Rather than becoming outdated, tokenization has only become more critical. In today’s IoT world, we’re creating a staggering 2.5 quintillion bytes of data daily — through social media, healthcare, eCommerce, and more — and more data means more need for protection. Along with an increase in data, the continued surge in data cybercrimes has also created a high demand for tokenized data security and cloud-based solutions.
With 80% of consumers saying they would avoid purchasing from an organization if their data has been compromised in a security breach, tokenization could save you millions of dollars, not just from a data breach, but also from the loss of customer trust and loyalty.
What does tokenization protect?
Historically, tokenization has been deployed to protect credit card and debit card data in storage. Storing this data is essential for recurring and subscription transactions so that the customer can be billed on a regular basis without having to re-enter their information. Storing clear-text credit and debit card data in any form violates PCI compliance rules, as well as data privacy rules.
In recent years, tokenization has been expanded to now also “mask” PII, PHI and banking information, especially pertaining to ACH account details. Examples of the type of data a tokenization system can secure include:
- A real name or alias, signature, or physical characteristics or description
- Postal address or telephone number
- Unique personal identifier, account name, online identifier Internet Protocol address, or email address
- Education and employment, including employment history
- Social security number, driver’s license number, state identification card number, passport number, or other similar identifiers
- Medical information or health insurance information
- Bank account number, credit/debit card number or any other financial information
Additionally, tokenization is no longer exclusively used for protection of data in storage. It can also be used to immediately tokenize data upon entry into a web form or Ecommerce page.
What types of tokenization are available?
There are two main “systems” used to store tokens.
Vaulted tokenization typically involves creating a token mapping table, where sensitive data is centralizd on that table. This reduces the number of systems processing and/or storing sensitive data, thereby reducing the risk of the overall environment by centralizing that risk in the systems storing and managing the mapping table. Since the mapping table becomes the most desirable target, sensitive data stored in the token mapping table should be encrypted and the secret key managed securely.
Vaultless tokenization refers to tokenization which does not require a token mapping table and relies on an algorithm to transform data into tokens. Implementations deemed secure using this method rely on industry approved algorithms and modes of operation and, when outsourced, can be implemented such that compromise of the tokenized (encrypted) data renders zero value to the malicious actor. As with standard encryption, a malicious actor in possession of tokenized data without a secret key has no means to recover the clear-text data.
Vaultless tokenization provides the easiest way to secure an organization’s data: the general population of the organization’s systems never see the original data strings, and only a very few and limited amount of heavily controlled systems are allowed to transform tokens back to sensitive data.
How does tokenization look?
It can be hard to envision what a token is or how this process looks. However, here is an example of an Ecommerce page where format-preserving tokenization (FPT) has been applied with Bluefin’s ShieldConex® data security platform. In format-preserving tokenization, the randomly generated symbols use the same alphabet as the original data.
ShieldConex® is a vaultless tokenization platform that secures PII, PHI, cardholder data (CHD) and ACH account data entered online. ShieldConex immediately masks sensitive data upon entry through Bluefin’s iFrame or API’s, ensuring that it never travels through a system or network as clear-text, where it could be accessible in the event of a data breach. Clients can leverage format-preserving encryption (FPE), format-preserving tokenization (FPT) or a combination of both with ShieldConex.
Stay tuned for our upcoming blogs which will overview how tokenization applies to payment data and PCI compliance, and how tokenization applies to PHI, PII and data privacy regulations.