NY
Uploaded byNabeel Yoosuf
6,555 views

Introduction to Tokenization

Tokenization is the process of replacing sensitive data with a surrogate value, or token, while preserving certain characteristics to ensure data security. It enables reduced risk of data exposure, minimizes the scope of PCI compliance, and requires minimal application modifications. The document also outlines the distinctions between single-use and multi-use tokens, as well as how tokenization compares to encryption in terms of format preservation and reversibility.

Technology
Related topics:
PCI DSS Training

Embed presentation

Introduction to Tokenization Prepared by @nabeelxy 8/28/2014
What is tokenization? • Replace a value with a surrogate value called “token” value Tokenize token • Examples Value Token Comment 1344 6423 1231 1521 aX73pQ43T1#+4oxT4 Token consists of alphanumeric values 1344 6423 1231 1521 3124224578918001 Token consists of numeric values only 1344 6423 1231 1521 aX73pQ43T1#+y1521 Token replaces the first 12 digits with a alphanumeric value
Properties of a Good Token • Format and length preserving • Some characteristics may be preserved (e.g. last four digits of CC#s) • Irreversible without some private information (i.e. given a token, it is difficult to find the value) • Distinguishable from the value – If the token is not distinguishable from the value, customers won’t be able to identify sensitive data and apply proper protection mechanisms; further, customers may inadvertently leak sensitive data thinking they are tokens
What is de-tokenization? • The reverse process of finding the actual value from a token token De-tokenize value
Why tokenize? • Reduced risk due to limited exposure of sensitive information (sensitive information is centralized in one location and downstream apps work with tokens) • Reduce the PCI scope (the number of nodes with sensitive data reduces) • Minimal changes to applications to support tokenization (tokenization is format and length preserving)
An Example – Tokenizing CC#s Point of Payment App Sale Tokenization System (2) Tokenize CC (3) Tokenized CC (1) Payment, CC Customer Data Warehouse (4) Tokenized CC Order Processing App CRM App [INTERNET] MERCHANT DATA CENTER (5) Tokenized CC
Single-use vs. Multi-use tokens Single-use token Multi-use token Usually used to represent a single transaction Usually used to represent a unique value (for example, CC#), usually used across multiple transactions A given value, it may map to multiple tokens Token maps to a unique value within the tokenization system Short lived Long lived
How to Generate Tokens? • Use a mathematically reversible cryptographic function (e.g. Format Preserving Encryption) • Use a one-way non-reversible cryptographic function (e.g. a hash function such as SHA-2) • Static tables mapping values to random tokens (tokens are not mathematically derived from values)
Tokenization Process
De-tokenization Process
How to manage tokens? • Two options – In-house – Third-party service provider • In-house tokenization server – Company owns and operates the token system and token database – The token server stores the original sensitive data – Usually used by large companies who wants to keep sensitive data • Third-party tokenization server (TaaS – Tokenization as a Service) – Third-party service providers generate tokens and give to companies – Usually used by small companies who do not want actual sensitive data – E.g. In CC transactions, the payment processor generates a token and gives only the token to merchant for future references (e.g.: recurring fees, refund, etc.) – sacrifice control and pay higher tax fee in exchange for convenience, reduced liability and cheaper PCI compliance.
Tokenization vs. Encryption Tokenization Encryption Output is format and length preserving Output is not generally format or length preserving (e.g. AES, RSA) (exception – FPE – Format Preserving Encryption, OPE – Order Preserving Encryption) May or may not use encryption as the mapping function (could use a hash function or a static mapping table) Encryption does not have any using tokenization internally Out is may or may not be reversible Output is always reversible given the key Regulatory compliance – PCI DSS Regulatory compliance – Safe Harbor, HIPAA A main use case is to reduce PCI scope by passing tokens to downstream applications A main use case is to ensure the confidentiality of data at rest (even if the storage media is compromised to lost, attackers are not able to see the actual data as they don’t have the keys)
How Tokenization is currently Used in the corporate market? • Use tokenization to replace sensitive data such as CC# with random numbers (3rd method of tokenization mentioned earlier) • Keep the sensitive data encrypted in a database • Since tokens preserve the length and format, changes to applications is minimal • The sensitive data is exposed only when it is necessary; otherwise, apps work with the tokens
References • PCI DSS Tokenization Guidelines, 2011

More Related Content

PDF
Tokenization
byPavel Kravchenko, PhD
 
PPTX
Blockchain for business
byPavel Kravchenko, PhD
 
PPTX
Non-fungible tokens (nfts)
byGene Leybzon
 
PDF
►TOP 13 • Blockchain Use Cases
byAndrea Soto
 
PDF
The Future of Money: Decentralized Finance
byJ. Scott Christianson
 
PDF
The Global Crypto Classification Standard by 21Shares & CoinGecko
byCoinGecko
 
PDF
Blockchain technology
byAlpnaSingh5
 
PPTX
Drivers for CBDC and implications for architecture
byDavid Birch
 
Tokenization
byPavel Kravchenko, PhD
 
Blockchain for business
byPavel Kravchenko, PhD
 
Non-fungible tokens (nfts)
byGene Leybzon
 
►TOP 13 • Blockchain Use Cases
byAndrea Soto
 
The Future of Money: Decentralized Finance
byJ. Scott Christianson
 
The Global Crypto Classification Standard by 21Shares & CoinGecko
byCoinGecko
 
Blockchain technology
byAlpnaSingh5
 
Drivers for CBDC and implications for architecture
byDavid Birch
 

What's hot

PPTX
Blockchain technology
byDr. Mohamed Torky
 
PPTX
Blockchain consensus algorithms
byAnurag Dashputre
 
PPTX
What is tokenization in blockchain?
byUlf Mattsson
 
PDF
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
byEdureka!
 
PPTX
Blockchain Technology
byRashi Singh
 
PDF
Blockchain and Banking
byHyperTrends Global Inc.
 
PPTX
Block chain technology
byMd. Syful Azam
 
PPTX
Blockchain Technology
byMufaddal Nullwala
 
PDF
Blockchain
byFrank Calberg
 
PDF
Blockchain Technology | Blockchain Explained | Blockchain Tutorial | Blockcha...
byEdureka!
 
PDF
How does blockchain work
byShishir Aryal
 
PPTX
BLOCK CHAIN technology for the students.
byRajasekhar364622
 
PDF
An Introduction to Blockchain
byNexThoughts Technologies
 
PPTX
BLOCK CHAIN
bySaima Mustafa
 
PDF
An Introduction to Blockchain Technology
byNiuversity
 
PDF
Understanding Bitcoin
byLeslie Bayona
 
PDF
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
byEdureka!
 
PPTX
Blockchain concepts
byMurughan Palaniachari
 
PPTX
Introduction To Cryptocurrency
byPranjal Bhogal
 
PPTX
BCT.pptx
byssuser3a47cb
 
Blockchain technology
byDr. Mohamed Torky
 
Blockchain consensus algorithms
byAnurag Dashputre
 
What is tokenization in blockchain?
byUlf Mattsson
 
Blockchain Explained | Blockchain Simplified | Blockchain Technology | Blockc...
byEdureka!
 
Blockchain Technology
byRashi Singh
 
Blockchain and Banking
byHyperTrends Global Inc.
 
Block chain technology
byMd. Syful Azam
 
Blockchain Technology
byMufaddal Nullwala
 
Blockchain
byFrank Calberg
 
Blockchain Technology | Blockchain Explained | Blockchain Tutorial | Blockcha...
byEdureka!
 
How does blockchain work
byShishir Aryal
 
BLOCK CHAIN technology for the students.
byRajasekhar364622
 
An Introduction to Blockchain
byNexThoughts Technologies
 
BLOCK CHAIN
bySaima Mustafa
 
An Introduction to Blockchain Technology
byNiuversity
 
Understanding Bitcoin
byLeslie Bayona
 
Blockchain 101 | Blockchain Tutorial | Blockchain Smart Contracts | Blockchai...
byEdureka!
 
Blockchain concepts
byMurughan Palaniachari
 
Introduction To Cryptocurrency
byPranjal Bhogal
 
BCT.pptx
byssuser3a47cb
 

Similar to Introduction to Tokenization

PPTX
Encryption and Tokenization: Friend or Foe?
byZach Gardner
 
PDF
Tokenization: What's Next After PCI?
byEMC
 
PDF
Ken Smith - Tokenization
bySource Conference
 
PPTX
Tokenization Webinar featuring Securosis - Intel
byIntel - API Security & Tokenization
 
PDF
Ulf mattsson the standardization of tokenization and moving beyond pci
byUlf Mattsson
 
PPTX
PCI DSS Conference in London UK 2011
byUlf Mattsson
 
PPTX
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
byTokenEx
 
PDF
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
byNisum
 
PDF
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
byIRJET Journal
 
PDF
Tokenization Payment Data Out Securing Payment Data Storage
by- Mark - Fullbright
 
PPTX
How Data Tokenization Technology is Powering Industry Growth.pptx
byalbertbeckles3
 
PDF
The Role of Data Tokenization in Next-Gen Blockchain Solutions.pdf
byalbertbeckles3
 
PDF
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
PDF
Tokenization
byCentury Business Solutions
 
PPTX
The Role of Data Tokenization in Next-Gen Blockchain Solutions.pptx
byalbertbeckles3
 
PDF
Data Tokenization Explained: Use Cases, Benefits & Why It Matters in 2025
byrose mason
 
PPTX
The Rising of Data Tokenization Technologies for Global Enterprises (1).pptx
byalbertbeckles3
 
PPTX
Emerging application and data protection for cloud
byUlf Mattsson
 
PDF
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
DOCX
6 ways reduce pci dss audit scope tokenizing cardholder data
byRichard Thompson
 
Encryption and Tokenization: Friend or Foe?
byZach Gardner
 
Tokenization: What's Next After PCI?
byEMC
 
Ken Smith - Tokenization
bySource Conference
 
Tokenization Webinar featuring Securosis - Intel
byIntel - API Security & Tokenization
 
Ulf mattsson the standardization of tokenization and moving beyond pci
byUlf Mattsson
 
PCI DSS Conference in London UK 2011
byUlf Mattsson
 
PCI Scope Reduction Using Tokenization for Security Assessors (QSA, ISA)
byTokenEx
 
White Paper: Tokenization, Credit Card Fraud Prevention, Beyond PCI Measures
byNisum
 
IRJET- Improved Vault based Tokenization to Boost Vault Lookup Performance
byIRJET Journal
 
Tokenization Payment Data Out Securing Payment Data Storage
by- Mark - Fullbright
 
How Data Tokenization Technology is Powering Industry Growth.pptx
byalbertbeckles3
 
The Role of Data Tokenization in Next-Gen Blockchain Solutions.pdf
byalbertbeckles3
 
Enterprise Data Protection - Understanding Your Options and Strategies
byUlf Mattsson
 
Tokenization
byCentury Business Solutions
 
The Role of Data Tokenization in Next-Gen Blockchain Solutions.pptx
byalbertbeckles3
 
Data Tokenization Explained: Use Cases, Benefits & Why It Matters in 2025
byrose mason
 
The Rising of Data Tokenization Technologies for Global Enterprises (1).pptx
byalbertbeckles3
 
Emerging application and data protection for cloud
byUlf Mattsson
 
Security 101: Protecting Data with Encryption, Tokenization & Anonymization
byPrecisely
 
6 ways reduce pci dss audit scope tokenizing cardholder data
byRichard Thompson
 

More from Nabeel Yoosuf

PDF
Building RESTful Applications
byNabeel Yoosuf
 
PDF
Introduction to OAuth 2.0 - Part 2
byNabeel Yoosuf
 
PDF
Introduction to OAuth 2.0 - Part 1
byNabeel Yoosuf
 
PPTX
Introduction to OAuth 2.0 - Part 1
byNabeel Yoosuf
 
PPT
API Façade Pattern
byNabeel Yoosuf
 
PPT
Oracle Transparent Data Encryption (TDE) 12c
byNabeel Yoosuf
 
PDF
Privacy Preserving Access Control for Third Party Data Management Systems
byNabeel Yoosuf
 
PDF
Efficient privacy preserving publish subscribe systems
byNabeel Yoosuf
 
PDF
Access Control: Principles and Practice
byNabeel Yoosuf
 
PDF
Efficient Filtering in Pub-Sub Systems using BDD
byNabeel Yoosuf
 
PDF
Pub-Sub Systems and Confidentiality/Privacy
byNabeel Yoosuf
 
PDF
A Structure Preserving Approach for Securing XML Documents
byNabeel Yoosuf
 
Building RESTful Applications
byNabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 2
byNabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
byNabeel Yoosuf
 
Introduction to OAuth 2.0 - Part 1
byNabeel Yoosuf
 
API Façade Pattern
byNabeel Yoosuf
 
Oracle Transparent Data Encryption (TDE) 12c
byNabeel Yoosuf
 
Privacy Preserving Access Control for Third Party Data Management Systems
byNabeel Yoosuf
 
Efficient privacy preserving publish subscribe systems
byNabeel Yoosuf
 
Access Control: Principles and Practice
byNabeel Yoosuf
 
Efficient Filtering in Pub-Sub Systems using BDD
byNabeel Yoosuf
 
Pub-Sub Systems and Confidentiality/Privacy
byNabeel Yoosuf
 
A Structure Preserving Approach for Securing XML Documents
byNabeel Yoosuf
 

Recently uploaded

PPTX
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
PDF
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
PDF
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
PPTX
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
PDF
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
PDF
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
PDF
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
PPTX
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
PDF
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
PDF
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
PDF
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
PDF
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 
INSY_7213_Theme Sessions 47 & 48 Advanced databases.pptx
bystormzy56
 
TrustArc Webinar - From Zero to Privacy Hero: Launching Your Program Right an...
byTrustArc
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Enterprise Data Services_ A Development Guide with Use Cases, Trends and Impl...
by2601harsh23
 
Why AI Girlfriends Are the Future of Digital Companionship
byAi Angels
 
2026 SCORM Troubleshooting Rustici + dominKnow.pptx
byRustici Software
 
Transcript: What Thema can do: Leveraging metadata to support the discoverabi...
byBookNet Canada
 
Certified AI-Empowered SAFe Release Train Engineer.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Fortinet Certified Fundamentals in Cybersecurity
byVICTOR MAESTRE RAMIREZ
 
Certified AI-Native Foundations Professional.pdf
byMarc Entsminger SPC6, RTE, SSM, SA, SDP
 
TechSprint WinterHack — Top 10 Teams Pitching Session we are excited for pit...
bybajpaitusharoffon678
 
7 Essential Types of Penetration Testing Services Every Business Should Under...
bypandeydevika621
 
How to Design Premium Health (Public Health) PPT Using AI? Top Strategies
byPublic Health Concern Nepal
 
JCB_3CX_SPECS (24 págs) companywrench.com .pdf
byAquilesOyarzn1
 
Peculiar Findings Around CEX Activity and ETH Price
bytobbymnbvcxz
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
"When every team does things "right", but together it turns into chaos", Yozh...
byFwdays
 

Introduction to Tokenization

  • 1.
    Introduction to Tokenization Prepared by @nabeelxy 8/28/2014
  • 2.
    What is tokenization? • Replace a value with a surrogate value called “token” value Tokenize token • Examples Value Token Comment 1344 6423 1231 1521 aX73pQ43T1#+4oxT4 Token consists of alphanumeric values 1344 6423 1231 1521 3124224578918001 Token consists of numeric values only 1344 6423 1231 1521 aX73pQ43T1#+y1521 Token replaces the first 12 digits with a alphanumeric value
  • 3.
    Properties of aGood Token • Format and length preserving • Some characteristics may be preserved (e.g. last four digits of CC#s) • Irreversible without some private information (i.e. given a token, it is difficult to find the value) • Distinguishable from the value – If the token is not distinguishable from the value, customers won’t be able to identify sensitive data and apply proper protection mechanisms; further, customers may inadvertently leak sensitive data thinking they are tokens
  • 4.
    What is de-tokenization? • The reverse process of finding the actual value from a token token De-tokenize value
  • 5.
    Why tokenize? •Reduced risk due to limited exposure of sensitive information (sensitive information is centralized in one location and downstream apps work with tokens) • Reduce the PCI scope (the number of nodes with sensitive data reduces) • Minimal changes to applications to support tokenization (tokenization is format and length preserving)
  • 6.
    An Example –Tokenizing CC#s Point of Payment App Sale Tokenization System (2) Tokenize CC (3) Tokenized CC (1) Payment, CC Customer Data Warehouse (4) Tokenized CC Order Processing App CRM App [INTERNET] MERCHANT DATA CENTER (5) Tokenized CC
  • 7.
    Single-use vs. Multi-usetokens Single-use token Multi-use token Usually used to represent a single transaction Usually used to represent a unique value (for example, CC#), usually used across multiple transactions A given value, it may map to multiple tokens Token maps to a unique value within the tokenization system Short lived Long lived
  • 8.
    How to GenerateTokens? • Use a mathematically reversible cryptographic function (e.g. Format Preserving Encryption) • Use a one-way non-reversible cryptographic function (e.g. a hash function such as SHA-2) • Static tables mapping values to random tokens (tokens are not mathematically derived from values)
  • 9.
  • 10.
  • 11.
    How to managetokens? • Two options – In-house – Third-party service provider • In-house tokenization server – Company owns and operates the token system and token database – The token server stores the original sensitive data – Usually used by large companies who wants to keep sensitive data • Third-party tokenization server (TaaS – Tokenization as a Service) – Third-party service providers generate tokens and give to companies – Usually used by small companies who do not want actual sensitive data – E.g. In CC transactions, the payment processor generates a token and gives only the token to merchant for future references (e.g.: recurring fees, refund, etc.) – sacrifice control and pay higher tax fee in exchange for convenience, reduced liability and cheaper PCI compliance.
  • 12.
    Tokenization vs. Encryption Tokenization Encryption Output is format and length preserving Output is not generally format or length preserving (e.g. AES, RSA) (exception – FPE – Format Preserving Encryption, OPE – Order Preserving Encryption) May or may not use encryption as the mapping function (could use a hash function or a static mapping table) Encryption does not have any using tokenization internally Out is may or may not be reversible Output is always reversible given the key Regulatory compliance – PCI DSS Regulatory compliance – Safe Harbor, HIPAA A main use case is to reduce PCI scope by passing tokens to downstream applications A main use case is to ensure the confidentiality of data at rest (even if the storage media is compromised to lost, attackers are not able to see the actual data as they don’t have the keys)
  • 13.
    How Tokenization iscurrently Used in the corporate market? • Use tokenization to replace sensitive data such as CC# with random numbers (3rd method of tokenization mentioned earlier) • Keep the sensitive data encrypted in a database • Since tokens preserve the length and format, changes to applications is minimal • The sensitive data is exposed only when it is necessary; otherwise, apps work with the tokens
  • 14.
    References • PCIDSS Tokenization Guidelines, 2011