Tokenization (data security)
Tokenization is the process of substituting a sensitive data element with an "easily" reversible benign substitute. Easily means with regards to the data owner - the algorithm used shouldn't be easy to guess and is the key security strength indicator of tokenization. Tokenization can be used to safeguard sensitive data involving, for example, bank accounts, financial statements, medical records, criminal records, driver's licenses, loan applications, stock trades, voter registrations, and other types of personally identifiable information (PII).
In the payment card industry, tokenization is one means of protecting sensitive cardholder PII in order to comply with industry standards and government regulations. Tokenization was applied to payment card data by Shift4 Corporation  and released to the public during an industry Security Summit in Las Vegas, Nevada in 2005. The technology is meant to prevent the theft of the credit card information in storage. Shift4 defines tokenization as: “The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In payment card industry (PCI) context, tokens are used to reference cardholder data that is stored in a separate database, application or off-site secure facility.”.
Building an alternate payments ecosystem requires a number of entities working together in order to deliver NFC or other tech based payment services to the end users. One of the issues is the interoperability between the players and to resolve this issue the role of trusted service manager (TSM) is proposed to establish a technical link between MNOs and providers of services, so that these entities can work together. Tokenization helps you to do that.
The Payment Card Industry Data Security Standard, an industry-wide standard that must be met by any organization that stores, processes, or transmits cardholder data, mandates that credit card data must be protected when stored. Tokenization, as applied to payment card data, is often implemented to meet this mandate, replacing credit card numbers in some systems with a random value. Tokens can be formatted in a variety of ways. Some token service providers or applications generate these stand-in values in such a way as to match the format of the original sensitive data. In the case of payment card data, a token might be the same length as a Primary Account Number (bank card number) and contain elements of the original data such as the last four digits of the card number. When an authorization request is made to verify the legitimacy of a transaction, a token might be returned to the merchant instead of the card number, along with the authorization code for the transaction. The token is stored in the receiving system while the actual cardholder data is stored in a secure token storage system. Storage of tokens and payment card data must comply with current PCI standards.
Tokenization makes it more difficult for hackers to gain access to cardholder data outside of the token storage system. Implementation of tokenization could simplify the requirements of the PCI DSS, as systems that no longer store or process sensitive data are removed from the scope of the PCI audit.
- Apache OpenNLP includes rule based and statistical tokenizers which support many languages
- U-Tokenizer is an API over HTTP that can cut Mandarin and Japanese sentences at word boundary. English is supported as well.
- RoboVerdict is the implementation of an algorithm that automatically rates products by tokenizing texts of various reviews and finding similarities between them. English is the only supported language.
- TokenEx Cost-effective tokenization solution on the market for one-time, recurring and archival transaction data.
- FutureEx PCI-compliant mobile payment solutions for Point-to-Point Encryption (P2PE) of sensitive cardholder data
- PaymentVault Affordable PCI compliant payment processor independent tokenized credit card or sensitive data storage.
- "What is Tokenization?"
- "Tokenization eases merchant PCI compliance"
- “Shift4 Corporation Invents Tokenization”
- Shift4 Launches Security Tool That Lets Merchants Re-Use Credit Card Data. Internet Retailer
- "Shift4 Corporation Releases Tokenization in Depth White Paper"
- The Payment Card Industry Data Security Standard
- Data Security: Counterpoint – “The Best Way to Secure Data is Not to Store Data”