Tokenization: Vault or Vaultless?

Want more content?

By subscribing to our mailing list, you will be enrolled to receive our latest blogs, product updates, industry news, and more!

In the world of security, vaults are commonly used to protect valuable items from theft or exposure. Images of bank vaults or floor safes probably come to mind, but they’re far from the only types of vaults used to keep their contents safe and secure. Protecting intangible things such as data requires a different kind of vaulting, one that provides abstraction from the data’s original form and location. In the case of the security technologies of encryption and tokenization, these vaults can also store encryption keys and additional information necessary for keeping sensitive data secure. These are the category of vaults we will be covering in this post.

So, what is a tokenization vault? For an organization using tokenization to secure and deidentify their sensitive data, a tokenization vault is a secure database where the organization’s original sensitive data is stored after it’s been removed from internal systems and exchanged for a nonsensitive placeholder token. Many tokenization service providers and other data protection companies use these tokenization vaults to protect information until it needs to be retrieved to make a payment, identify an individual, or serve a variety of other purposes. In the instance of tokenization, these are referred to as tokenization vaults, and they can be either on-premises or cloud-based. TokenEx’s method of vaulting is cloud-based due to its lower overhead, greater storage capacity, and scope-reducing capabilities. In other words, it’s more affordable and effective at reducing compliance scope to use a cloud-based tokenization vault. These benefits can be even greater for organizations whose environments are suited for “vaultless” tokenization.

Many tokenization service providers support only vaulted or on-premises tokenization, but the TokenEx Cloud Security Platform offers vaultless tokenization options to better serve the needs of our customers. Although vaultless will not be the appropriate solution for all customers, in the right use cases, it can result in more efficient performance, lower costs, and other benefits. Here is a breakdown of the two options for tokenization vaulting.

Cloud-Based Tokenization: Vault vs. Vaultless

Vaulted tokenization utilizes a database, or tokenization “vault,” to store a mapping between the tokenized sensitive data, such as a credit card number, and the corresponding token. Conversely, vaultless tokenization generates the token solely via an algorithm, so when detokenization is required, the token can be used to determine the original value without needing a tokenization vault to look it up.

In terms of token schemes, both vaultless and vaulted tokenization allow you to retain elements of the original data, such as the first six and last four numbers of the credit card primary account number (PAN). Although vaulted tokenization enables you to select numeric payment card information (PCI) tokens, all vaultless tokens will have alphanumeric values between the portions of the PAN that are retained. For many customers, this will not be an issue, but for those with specialized or numeric token schemes, vaulted tokenization remains the preferred platform.

It’s also important to note that because vaultless tokenization does not use a database for token storage, TokenEx does not have a repository of the tokens a customer has generated. However, in the event you wish to retrieve any data you’ve previously tokenized, you may do so by providing us with a batch file containing the tokens or by utilizing the TokenEx API. Both vaultless and vaulted support batch-file tokenization, provide the same level of PCI DSS scope reduction, and offer the ability to deidentify PII, PHI, and personal data.

Vaultless Tokenization Benefits

A key benefit of vaultless tokenization is reduced latency, which results in a more responsive platform. This reduced latency is especially noticeable when processing a large batch file. To provide a highly available and fault-tolerant platform for our vaulted customers, vaulted data must be replicated between data centers, which–in the event of a catastrophic outage–can result in a recovery point objective (RPO)/recovery time objective (RTO) of several minutes.

With vaultless tokenization, there is no token vault to replicate, so RPO/RTO effectively drops to zero, increasing availability. Platform responsiveness also increases because there are no database reads or writes with vaultless tokenization. In a single API call, this improvement is negligible, but when processing a large batch file, the faster processing has a noticeable impact.

The TokenEx vaultless tokenization algorithm is centered on a mode of format-preserving encryption (FPE). As an additional layer of security, TokenEx applies a series of per-customer lookup tables on top of the FPE output. Our vaultless tokenization algorithm has been validated by multiple independent third parties who specialize in cryptology and application security. The additional layers of security we apply on top of FPE were also reviewed to ensure our solution’s security measures exceeded FPE-FF1 without affecting its operation or reducing its security properties.

The Future of Vault vs. Vaultless

The primary driver behind our development of a vaultless tokenization solution is the increasing number of data-localization regulations worldwide. For example, the Reserve Bank of India recently mandated that all fintech data remain in India. Currently, the TokenEx vaultless solution is deployed in our existing private-cloud data centers in the United States and the European Union. However, we expect to expand our vaultless solution to the public cloud in the latter half of 2019, allowing the TokenEx platform to operate in any geographic location, resulting in truly global capabilities.

Regardless of which vaulting method you choose, the TokenEx Cloud Security Platform provides the same level of risk mitigation and PII compliance scope reduction. Our cloud-based tokenization can be used to secure and deidentify nearly any sensitive data element to meet international regulatory compliance obligations such as those needed to appease PCI compliance solutions, NACHA compliance, the General Data Protection Regulation, the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, and more.

How can we help your business’s unique use case?