The purpose of tokenization is to swap out sensitive data—typically payment card or bank account numbers—with a randomized number in the same format, but with no intrinsic value of its own. This differs from encryption where a number is mathematically changed, but its original pattern is still “locked” within the new code—known as Format Preserving Encryption. Encrypted numbers can be decrypted with the appropriate key—whether through brute computing force, or through a hacked/stolen key. Tokenization is the process of removing sensitive data from your business systems by replacing them with an undecipherable token, so that it can store the original data in a secure cloud data vault.
Tokens, on the other hand, cannot be decrypted because there is no mathematical relationship between the token and its original number. De-tokenization is, of course, the reverse process, when the token is swapped—but not decrypted—for the original number. De-tokenization can only be done by the original tokenization system. There is no other way to obtain the original number from just the token. Tokens can be single use (a one time debit card transaction) that are not retained, or multi-use (a credit card number of a repeat customer) that is stored in a database for recurring transactions.
The goal of a tokenization platform is to remove any original sensitive payment or personal data from your business systems, replace each number with an undecipherable token, and store the original data in a secure cloud data vault, separate from your business systems. When you process a payment, for example, using the token stored in your systems, only the original tokenization system can swap the token with the corresponding PAN (Primary Account Number), and send it to the payment processor for authorization. Your systems never record, transmit, or store the PAN, only the token.
A tokenization platform that incorporates off-site data vaulting can thwart the most nefarious of attacks from gaining any type of usable information—financial or personal. “Usable information” is the key here. Tokenization is not a security system that stops hackers from penetrating your networks and information systems. There are many other security systems designed for that purpose. However, no defense has proven to be impenetrable. Whether through human (employee) error exposing passwords, malware injected through phishing emails, or brute force denial of service attacks and zero-day exploits, every organization is vulnerable. It’s a matter of when, not if, an attack will succeed. The advantage to tokenization and cloud data vaulting is there is no information to steal when the inevitable breach happens. It’s really that simple.