What is Payment Tokenization?
Tokenization is a process of devaluing sensitive information by replacing with algorithmically random values. Tokenization helps protect PCI, PII information such as Credit Card Number or PAN (Primary Account Number), SSN etc. Instead of actual data tokens can be used as a replacement at the communication between systems so, the risk of original data compromise gets reduced. Tokenization helps to keep the original data secure in the event a data breach or hacking of a critical customer information repository or database.
Tokenization can be categorized in 2 parts such as vault tokenization and valutless tokenization. In this brief article I will be explaining both and their pros and cons. One of the example of tokenization for PAN is first 6 and last 4 (aka token scheme), where out of 16digit of PAN, the middle 6 digits gets devaulted with algorithmically random values which can be reversed to determined the original PAN at the time of detokenization phase. In this article I will be skipping the payment authorization section with Token or PAN with 3rd party
Vault Tokenization
Vault tokenization involves a database to store the mapping of original PAN to tokenized PAN (aka Token). At the token provider the valut DB is maintained with high degree of security infrastructure with PCI-DSS compliance.
Step 1 — Client app sends the PAN to token provider
Step 2— Token provider tokenized the PAN and created the token, stores the mapping from PAN to Token in Vault DB
Step 3, 4 — Token provider returns the Token back to the client app (might include some other other attributes as well such as tracking_id etc.)
Step 5— As part of Detokenization, client app sends the token to the provider
Step 6—Tokenization provider fetches the PAN based on the client app requested token
Step 7,8 — Tokenization provider returns original PAN back to client app
Vault tokenization might face challenges around scaling the VaultDB and latency where millions of PAN needs to be tokenized and stored. Tokenization provider must be using database sharding to address the issues and apply other mechanism to reduce latency from client application while tokenizing and detokenizing sensitive information
Vaultless Tokenization
In contrast to vault tokenization, vault less tokenization doesn’t dealt with VaultDB rather applies cryptographically algorithm in-memory by utilizing HSM (hardware security module) for tokenization and detokenization.
Step 1 — Client app sends the PAN to token provider
Step 2 — Token provider tokenized the PAN and created the token on the fly by utilizing cryptographic algorithm which has 1 to 1 mapping
Step 3, 4 — Token provider returns the Token back to the client app (might include some other other attributes as well such as tracking_id etc.)
Step 5 — As part of Detokenization, client app sends the token to the provider
Step 6 — Tokenization provider uses the HSM module to calculate the original data from the tokenized data
Step 7,8 — Tokenization provider returns original PAN back to client app
Valuless tokenization is secure, reduced latency compared to vault tokenization as there is no DB dependency. Due to the HSM module and in-memory computation of the tokenization vaultless tokenization is fast, can scal with low latency
There are many providers who supports tokenization with vault-less model such as Bluefin (ShieldConex product), Protegrity, Tokenex and many others. The providers providers support REST API integration for tokenization and detokenization with various types of authentication such as Basic Auth, HMAC, RSA etc… The integration with provider can be of different types such as iFrame technology for Web UI and REST API based integration for backend server to server communication.
That’s all for now on payments tokenization. Thanks for reading :)
References
