Editing Tokenization (data security) (section)

{{short description|Concept in data security}}
{{Distinguish|tokenization (lexical analysis)}}

[[File:How mobile payment tokenization works.png|thumb|480x480px|This is a simplified example of how [[mobile payment]] tokenization commonly works via a mobile phone application with a [[credit card]].<ref>{{Cite news|url=https://www.morpho.com/en/media/tokenization-demystified-20170919|title=Tokenization demystified|date=2017-09-19|work=IDEMIA|access-date=2018-01-26|archive-url=https://web.archive.org/web/20180126000515/https://www.morpho.com/en/media/tokenization-demystified-20170919|archive-date=2018-01-26}}</ref><ref>{{Cite web|url=https://squareup.com/townsquare/what-does-tokenization-actually-mean|title=Payment Tokenization Explained|website=Square|date=8 October 2014 |language=en-US|archive-url=https://web.archive.org/web/20180102223251/https://squareup.com/townsquare/what-does-tokenization-actually-mean|archive-date=2018-01-02|access-date=2018-01-26}}</ref> Methods other than fingerprint scanning or PIN-numbers can be used at a [[payment terminal]].]]

'''Tokenization''', when applied to data security, is the process of substituting a sensitive [[data element]] with a non-sensitive equivalent, referred to as a [[Security token|token]], that has no intrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from [[Random number generation|random numbers]].<ref>[http://www.3dsi.com/blog/credit-card-tokenization-101 CardVault: "Tokenization 101"]</ref> A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources.<ref name=":0">{{Cite journal |last=Ogigau-Neamtiu |first=F. |date=2016 |title=Tokenization as a data security technique |department=Regional Department of Defense Resources Management Studies |journal=Zeszyty Naukowe AON |volume=2 |location=Brasov, Romania |publisher=Akademia Sztuki Wojennej |issue=103 |pages=124–135 |issn=0867-2245}}</ref> To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security.<ref>{{Cite journal |last=Ogîgău-Neamţiu |first=F. |date=2017 |title=Automating the data security process |journal=Journal of Defense Resources Management (JoDRM) |volume=8 |issue=2}}</ref>

The tokenization system must be secured and validated using security best practices<ref>{{Cite web |url=https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project |title=OWASP Top Ten Project |access-date=2014-04-01 |archive-url=https://web.archive.org/web/20191201191321/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project |archive-date=2019-12-01 |url-status=dead }}</ref> applicable to sensitive data protection,  secure storage, audit, authentication and authorization. The tokenization system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data. 
 
The security and risk reduction benefits of tokenization require that the tokenization system is logically isolated and segmented from data processing systems and applications that previously processed or stored sensitive data replaced by tokens. Only the tokenization system can tokenize data to create tokens, or detokenize back to redeem sensitive data under strict security controls. The token generation method must be proven to have the property that there is no feasible means through direct attack, [[cryptanalysis]], side channel analysis, token mapping table exposure or brute force techniques to reverse tokens back to live data.

Replacing live data with tokens in systems is intended to minimize exposure of sensitive data to those applications, stores, people and processes, reducing risk of compromise or accidental exposure and unauthorized access to sensitive data. Applications can operate using tokens instead of live data, with the exception of a small number of trusted applications explicitly permitted to detokenize when strictly necessary for an approved business purpose. Tokenization systems may be operated in-house within a secure isolated segment of the data center, or as a service from a secure service provider.

Tokenization may be used to safeguard sensitive data involving, for example, [[bank account]]s, [[financial statement]]s, [[medical record]]s, [[criminal record]]s, [[driver's license]]s, [[loan]] applications, stock [[trade (financial instrument)|trades]], [[voter registration]]s, and other types of [[personally identifiable information]] (PII). Tokenization is often used in credit card processing. The [[Payment Card Industry Data Security Standard|PCI Council]] defines tokenization as "a process by which the [[primary account number]] (PAN) is replaced with a surrogate value called a token. A PAN may be linked to a reference number through the tokenization process. In this case, the merchant simply has to retain the token and a reliable third party controls the relationship and holds the PAN. The token may be created independently of the PAN, or the PAN can be used as part of the data input to the tokenization technique. The communication between the merchant and the third-party supplier must be secure to prevent an attacker from intercepting to gain the PAN and the token.<ref>{{Cite journal |last1=Stapleton |first1=J. |last2=Poore |first2=R. S. |date=2011 |title=Tokenization and other methods of security for cardholder data |journal=Information Security Journal: A Global Perspective |volume=20 |issue=2 |pages=91–99|doi=10.1080/19393555.2011.560923 |s2cid=46272415 }}</ref>

De-tokenization<ref>{{Cite book|last=Y.|first=Habash, Nizar|url=http://worldcat.org/oclc/1154286658|title=Introduction to Arabic natural language processing|date=2010|publisher=Morgan & Claypool|isbn=978-1-59829-796-6|oclc=1154286658}}</ref> is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value".<ref>[https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf PCI DSS Tokenization Guidelines]</ref> The choice of tokenization as an alternative to other techniques such as [[encryption]] will depend on varying regulatory requirements, interpretation, and acceptance by respective auditing or assessment entities. This is in addition to any technical, architectural or operational constraint that tokenization imposes in practical use.