Data tokenization substitutes surrogate data (the token) to replace the data that needs protection
Multiple methods exist for generating tokens and protecting the overall system; but in contrast to encryption, no formal data tokenization standards exist. One common approach is to deploy a centralized data tokenization service that generates tokens, performs the substitution, and stores the token and corresponding original data, allowing it to de-tokenize (substitute the original value for the token) when an application needs to use the original data. Alternative approaches avoid the need for a central data tokenization service and repository by utilizing secret, pre-generated look-up tables that are shared with applications.
The PCI Tokenization Guidelines specify that, “Cryptographic keys must be managed and protected in accordance with PCI DSS requirements…Cryptographic keys used for token generation and de-tokenization should therefore not be available to any application, system, user, or process outside of the secure tokenization system."
Maintaining Data Format
Tokenization is commonly employed by applications that require the protection of tightly formatted data. For these types of applications, a substitutional approach such as data tokenization is a natural fit.
The tokenization process helps to reduce the scope of compliance audits because customer credit card numbers, for example, are exchanged for tokens as soon as they are captured at a point-of-sale terminal, after which that data is no longer in compliance scope because the data no longer contains actual credit card numbers. Data remains in tokenized form by default, so any system that cannot access the de-tokenization service has the potential to be out of scope. For organizations to take advantage of the potential to reduce scope, they need to follow the guidelines issued by the PCI Council regarding the deployment of tokenization.
Delivering Data Protection
Products and services from Entrust can help enable an effective, high assurance tokenization solution to protect customer information, reduce scope of regulatory compliance, and contain cost.
Entrust nShield™ hardware security modules (HSMs) can play an important role in ensuring adequate levels of security, just as they do in encryption systems. Since tokenization systems depend on the use of cryptography, HSMs can protect token stores and the tokenization process, and increase the performance of token generation.
Creating a Trusted Platform for Cryptographic Processing
nShield HSMs create a trusted environment where tokens can be generated, stored, and managed and tokenization/de-tokenization performed safely and securely. This trusted layer overcomes the fact that a purely software-based environment in which applications typically execute is not, in itself, sufficiently trusted to meet the needs of a tokenization system.
Enabling Fast Deployments and Seamless Integration
Whether you tokenize account data using your own in-house developed software, a third-party commercial tokenization product, or a shared service, nShield HSMs can play an important role. These devices are already certified to integrate with many leading tokenization products, assuring fast deployments and seamless integration with existing systems.
Reduce Scope of Compliance
Deploy high assurance tokenization solutions to protect account data and reduce compliance costs. Utilize industry best practices recommended by auditors and PCI DSS guidelines to protect the integrity of tokenization systems.
Entrust nShield HSMs are pre-qualified to integrate with products from leading vendors.
High Performance and Flexibility
Purpose-built cryptographic offload capabilities enable one to accelerate the generation of tokens, particularly in situations where token values are cryptographically related to the source data. Choice of performance ratings and HSM form factor enable one to deploy exactly what is needed with easy upgrades easily as needs change.
Solution Brief: Enhanced Tokenization Security
Tokenization solutions reduce the risk of data exposure while allowing enterprises to keep existing processes in place. Entrust nShield HSMs integrate with leading tokenization solutions to enhance data security and compliance.