Encryption Services Tokenisation
Tokenisation
An approach for the protection of sensitive data is the use of data substitution with a token as a replacement for a real data. In the process of tokenization, actual sensitive data is used for transactions, and after that the sensitive data is sent to a centralised, highly secure server called a “vault” where it is stored securely.
This vastly reduces an organisation’s risk in the event of a data breach because the process eliminates sensitive data from an organisation’s environment after a transaction has been authorised. If token numbers are breached, they are meaningless to anyone who would attempt to use them as the tokens are simply random numbers. Additionally, using token numbers instead of real data in back-end business applications shrinks the organisation’s environment that is subject to PCI compliance requirements and audits. This reduction of PCI scope can save an organisation significant time and money.
Tokenisation Process
- A requesting application passes a Primary Account Number (PAN), along with necessary authentication information, to a tokenisation system.
- The tokenisation system verifies the authentication information presented by the requesting application. If this check fails, the tokenisation process fails, and information is logged for monitoring. Otherwise, the process continues to Step 3.
- The tokenisation system generates—or retrieves if already exists—a token associated to the PAN and records both to the card data vault, following PCI DSS requirements for PAN storage.
- The tokenisation system returns the token generated or retrieved in Step 3 to the requesting application.
De-tokenisation Process
- The requesting application passes a token, along with necessary authentication information, to a tokenisation system.
- The tokenisation system verifies the authentication information presented by the requesting application. If this check fails, the de-tokenisation process fails, and information is logged for monitoring. Otherwise, the process continues to Step3.
- The tokenisation system queries the card data vault for a record associated with the token, retrieves the PAN if found, and proceeds to Step 4. If no such token exists, the de-tokenisation operation fails, and information is logged for monitoring.
- The tokenisation system returns the PAN value retrieved from the card data vault, if found to the requesting application. If the PAN is not found, then an error message is returned.