IT Security Blog | Rivial Security

What is Data Tokenization in Payments? | Rivial Security

Written by Randy Lindberg | 25 Nov 2020

Data tokenization in payment processing is the process of replacing a credit card/debit card, bank account number, or any other financial-related information with a token. The token, on its own, has no intrinsic use and is not connected to any account or individual, and the idea is for this token to replace any sensitive data element to improve payment security.

 

Where data encryption can be broken, data tokenization is “uncrackable” and therefore “unhackable” because there is no mathematical relationship between the original data and the token.

 

What Is a Data Token?

In the case of data tokenization for payments, a token is a completely randomized data string without any intrinsic value or meaning. The token is used as a unique identifier for the original data, so we can recall all the information about the data, without compromising its security. Data tokens can be generated and used for credit card numbers, social security numbers, bank account numbers and other identifying numbers as well.

 

How Does Credit Card Tokenization Work?

As an example, if the payment method is a credit card, then the credit card’s number is replaced with a token. For instance, if the primary account number (PAN) is 1111-1111-1111-1111, the token can be something like _787%sd90JhUa_. The format and the length of the token can be completely different from the original PAN format (i.e. the 16 digit card number’s related token might only be 9 or 11 characters).

 

Depending on the original data, tokens can be single-use only, or they can be retained in a database if repeat transactions are expected. Assuming the token is retained for repeat transactions, the token _787%sd90JhUa _ will now effectively replace this credit card number until the detokenization process, or until it’s deleted from the database.

 

Data Detokenization in Payments

As the name suggests, detokenization is the reverse of the tokenization process to retrieve the original data using the token. In a proper data tokenization system, the detokenization process can only be performed by the tokenization system that originated the token. However, in rare cases, trusted applications might be permitted to detokenize for an approved business purpose.

 

Data Encryption vs Data Tokenization

Data encryption is also a common method used to secure sensitive data, but the basic principle is different from tokenization. In encryption, the original value of the sensitive data is mathematically transformed with cryptographic keys to generate a new value.

 

It’s worth noting that in encryption, the original value is still there, just transformed. As a result, anyone with the correct key can decrypt (reverse) the newly encrypted value to the original one. However, even without the correct cryptographic key, it is still possible - albeit extremely difficult depending on the length and complexity of this secret key - to decrypt the new value.

 

A major weakness in encryption is that the secret key needs to be shared between the sender and the receiver since the receiver of the encrypted data will need the original value in the end. The security of the whole data encryption process depends on the security of the secret key itself: a business would have to make sure that only the right people have possession of the key, and they would also need to regularly re-encrypt the data and rotate the key to reduce the chance of leaks.

 

All encrypted data is reversible by nature, so it is treated as sensitive data, and organizations are still required to protect it.

 

Data tokenization, on the other hand, though it also uses mathematical transformation, makes it so the generated data (the token) is completely unrelated to the original sensitive data. Therefore, no cryptographic key is needed. So, even when the token is compromised, the original data is still secure.

 

In fact, in data tokenization the original data is stored in a secure off-site platform (a token vault), and will not enter your IT environment. Therefore, even if a cybercriminal manages to penetrate your network and gain access to your tokens, they won’t be able to use it unless they also have access to the token vault. 

 

The Benefits of Data Tokenization

Because the sensitive data is held offsite, you will enjoy the benefits of improved customer trust, a breach will be less detrimental to your business, you’ll have more data security in online payments, and you’ll be better equipped to protect personal information. Let’s face it, cybercriminals are getting smarter, and data breaches and other cybersecurity threats have grown to be serious issues for many businesses. While we may not be able to effectively prevent every data breach, data tokenization certainly makes the task of protecting sensitive data much easier.