Tokenization: Vault or Vaultless?

Many data protection companies store sensitive information in secure databases called data vaults. These token vaults safehouse information until it needs to be retrieved to make a payment, identify an individual, or serve a variety of other purposes. In the instance of tokenization, these are referred to as token vaults, and they can be either on-premise or cloud-based. TokenEx’s preferred method of vaulting is cloud-based due to its lower overhead, fewer access points, and smaller attack surface. In other words, it’s cheaper and more secure.

Until recently, the TokenEx Cloud Security Platform supported only vaulted tokenization, but to better serve the needs of our customers, we now offer vaultless tokenization as well. Although vaultless will not be the appropriate solution for all customers, in the right use cases, it can result in more efficient performance, lower costs, and other benefits. Here is a breakdown of the two options.

a person paying with sensitive data who needs a tokenization vault

Vault vs. Vaultless

Vaulted tokenization utilizes a database, or “vault,” to store a mapping between the tokenized sensitive data, such as a credit card number, and the corresponding token. Conversely, vaultless tokenization generates the token solely via an algorithm, so when detokenization is required, the token can be used to determine the original value without needing a vault.

In terms of token schemes, both vaultless and vaulted tokenization allow you to retain elements of the original PAN, such as the first six and last four numbers. Although vaulted tokenization enables you to select numeric PCI tokens, all vaultless tokens will have alphanumeric values between the portions of the PAN that are retained. Both vaultless and vaulted support batch-file tokenization, provide the same level of PCI DSS scope reduction and offer the ability to deidentify PII, PHI, and personal data.

chains locking up a computer, phone, and book, to represent a tokenization vault

A key benefit of vaultless is reduced latency, which results in a more responsive platform. This reduced latency is especially noticeable when processing a large batch file. Vaulted data must be replicated between data centers, which—in the event of a catastrophic outage—can result in a recovery point objective (RPO)/recovery time objective (RTO) of several minutes. With vaultless tokenization, there is no token vault to replicate, so RPO/RTO effectively drops to zero, increasing availability.

The Future of Vault vs. Vaultless

The primary driver behind our development of a vaultless tokenization solution is the increasing number of data-localization regulations worldwide. Currently, the TokenEx vaultless solution is deployed in our existing private-cloud data centers in the United States and the European Union. However, we expect to expand our vaultless solution to the public cloud in the latter half of 2019, allowing the TokenEx platform to operate in any geographic location in the world.

If you have any questions about vault vs. vaultless tokenization solutions, please don’t hesitate to contact our client services or sales teams.


Discover Data Vaulting Results

Get the Free Case Study


Topic(s): data security , tokenization

Keep Up With Our PCI & Privacy Blog