Tokenization (data security)
Encyclopedia
Tokenization is the process of replacing some piece of sensitive data with a value that is not considered sensitive in the context of the environment that consumes the token and the original sensitive data. Tokenization technology can be used with sensitive data of all kinds including bank transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.
In the payments industry, Tokenization has become a popular means of bolstering the security of electronic transactions while minimizing the complexity of compliance with industry standards and government regulations. Tokenization was applied to payment card data by Shift4 Corporation
and released to the public during an industry Security Summit in Las Vegas
, Nevada
in 2005. The technology is meant to prevent the theft of the credit card information in storage. Shift4 defines Tokenization as: “The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In PCI context, tokens are used to reference cardholder data that is stored in a separate database, application or off-site secure facility.”.
The Payment Card Industry Data Security Standard, an industry-wide standard that must be met by any organization that stores, processes, or transmits cardholder data, mandates that credit card data must be protected when stored. Tokenization, as applied to payment card data, is often implemented to meet this mandate, replacing credit card numbers in some systems with a random value. Tokens can be formatted in a variety of ways. Some token service providers or applications generate these stand-in values in such a way as to match the format of the original sensitive data. In the case of payment card data, a token might be the same length of a Primary Account Number (Bank card number
) and contain elements of the original data such as the last four digits of the card number. When an authorization request is made to verify the legitimacy of a transaction, a token might be returned to the merchant instead of the card number, along with the authorization code for the transaction. The token is stored in the receiving system while the actual cardholder data is stored in a secure token storage system. Storage of tokens and payment card data must comply with current PCI standards.
Tokenization makes it more difficult for hackers to gain access to cardholder data outside of the token storage system. Implementation of tokenization could simplify the requirements of the PCI DSS, as systems that no longer store or process sensitive data are removed from the scope of the PCI audit.
In the payments industry, Tokenization has become a popular means of bolstering the security of electronic transactions while minimizing the complexity of compliance with industry standards and government regulations. Tokenization was applied to payment card data by Shift4 Corporation
Shift4
Shift4 Corporation is a provider of financial transaction and payment processing services based in Las Vegas, Nevada. The company's core product is a merchant-centric Application Service Provider banking and payment gateway solution.-History:...
and released to the public during an industry Security Summit in Las Vegas
Las Vegas metropolitan area
The Las Vegas Valley is the heart of the Las Vegas-Paradise, NV MSA also known as the Las Vegas–Paradise–Henderson MSA which includes all of Clark County, Nevada, and is a metropolitan area in the southern part of the U.S. state of Nevada. The Valley is defined by the Las Vegas Valley landform, a ...
, Nevada
Nevada
Nevada is a state in the western, mountain west, and southwestern regions of the United States. With an area of and a population of about 2.7 million, it is the 7th-largest and 35th-most populous state. Over two-thirds of Nevada's people live in the Las Vegas metropolitan area, which contains its...
in 2005. The technology is meant to prevent the theft of the credit card information in storage. Shift4 defines Tokenization as: “The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In PCI context, tokens are used to reference cardholder data that is stored in a separate database, application or off-site secure facility.”.
The Payment Card Industry Data Security Standard, an industry-wide standard that must be met by any organization that stores, processes, or transmits cardholder data, mandates that credit card data must be protected when stored. Tokenization, as applied to payment card data, is often implemented to meet this mandate, replacing credit card numbers in some systems with a random value. Tokens can be formatted in a variety of ways. Some token service providers or applications generate these stand-in values in such a way as to match the format of the original sensitive data. In the case of payment card data, a token might be the same length of a Primary Account Number (Bank card number
Bank card number
A bank card number is the primary account number found on credit cards and bank cards. It has a certain amount of internal structure and shares a common numbering scheme. Credit card numbers are a special case of ISO/IEC 7812 bank card numbers....
) and contain elements of the original data such as the last four digits of the card number. When an authorization request is made to verify the legitimacy of a transaction, a token might be returned to the merchant instead of the card number, along with the authorization code for the transaction. The token is stored in the receiving system while the actual cardholder data is stored in a secure token storage system. Storage of tokens and payment card data must comply with current PCI standards.
Tokenization makes it more difficult for hackers to gain access to cardholder data outside of the token storage system. Implementation of tokenization could simplify the requirements of the PCI DSS, as systems that no longer store or process sensitive data are removed from the scope of the PCI audit.