Editing Tokenization (data security) (section)

== Concepts and origins ==

The concept of tokenization, as adopted by the industry today, has existed since the first [[currency]] systems emerged centuries ago as a means to reduce risk in handling high value [[financial instrument]]s by replacing them with surrogate equivalents.<ref>{{cite news |last1=Rolfe |first1=Alex |title=The fall and rise of Tokenization |url=https://www.paymentscardsandmobile.com/the-fall-and-rise-of-tokenization/ |access-date=27 September 2022 |date=May 2015}}</ref><ref>{{Cite book |last1=Xu |first1=Xiwei |last2=Pautasso |first2=Cesare |last3=Zhu |first3=Liming |last4=Lu |first4=Qinghua |last5=Weber |first5=Ingo |title=Proceedings of the 23rd European Conference on Pattern Languages of Programs |chapter=A Pattern Collection for Blockchain-based Applications |date=2018-07-04 |chapter-url=https://doi.org/10.1145/3282308.3282312 |series=EuroPLoP '18 |location=New York, NY, USA |publisher=Association for Computing Machinery |pages=1–20 |doi=10.1145/3282308.3282312 |isbn=978-1-4503-6387-7|s2cid=57760415 }}</ref><ref>{{Cite news |last1=Millmore |first1=B. |last2=Foskolou |first2=V. |last3=Mondello |first3=C. |last4=Kroll |first4=J. |last5=Upadhyay |first5=S. |last6=Wilding |first6=D. |title=Tokens: Culture, Connections, Communities: Final Programme |publisher=The University of Warwick |url=https://warwick.ac.uk/fac/arts/classics/research/dept_projects/tcam/events/tccc/tokens_programme.pdf}}</ref> In the physical world, [[Token coin|coin tokens]] have a long history of use replacing the financial instrument of [[Mint (coin)|minted coins]] and [[banknote]]s. In more recent history, subway tokens and casino chips found adoption for their respective systems to replace physical currency and cash handling risks such as theft. [[Exonumia]] and [[scrip]] are terms synonymous with such tokens.

In the digital world, similar substitution techniques have been used since the 1970s as a means to isolate real data elements from exposure to other data systems. In databases for example, [[surrogate key]] values have been used since 1976 to isolate data associated with the internal mechanisms of databases and their external equivalents for a variety of uses in data processing.<ref>{{Cite news |last1=Link |first1=S. |last2=Luković |first2=I. |last3=Mogin |first3=P. |date=2010 |title=Performance evaluation of natural and surrogate key database architectures |work=School of Engineering and Computer Science, Victoria University of Wellington}}</ref><ref>{{Cite web |last1=Hall |first1=P. |last2=Owlett |first2=J. |last3=Todd |first3=S. |date=1976 |title=Relations and entities. Modelling in Database Management Systems |url= |publisher=GM Nijssen}}</ref> More recently, these concepts have been extended to consider this isolation tactic to provide a security mechanism for the purposes of data protection.

In the [[payment card]] industry, tokenization is one means of protecting sensitive cardholder data in order to comply with industry standards and government regulations.<ref>{{Cite web |url=http://www.hotel-online.com/News/PR2005_4th/Oct05_Shift4.html |title=Tokenization eases merchant PCI compliance |access-date=2013-03-28 |archive-url=https://web.archive.org/web/20121103225221/http://www.hotel-online.com/News/PR2005_4th/Oct05_Shift4.html |archive-date=2012-11-03 |url-status=dead }}</ref>

Tokenization was applied to payment card data by [[Shift4 Payments|Shift4 Corporation]]<ref>{{Cite web |url=https://www.reuters.com/article/2008/09/17/idUS168810+17-Sep-2008+PRN20080917 |title=Shift4 Corporation Releases Tokenization in Depth White Paper |website=[[Reuters]] |access-date=2017-07-02 |archive-url=https://web.archive.org/web/20140313203320/http://www.reuters.com/article/2008/09/17/idUS168810+17-Sep-2008+PRN20080917 |archive-date=2014-03-13 |url-status=dead }}</ref> and released to the public during an industry Security Summit in [[Las Vegas Valley|Las Vegas]], [[Nevada]] in 2005.<ref>{{cite magazine |date= |title=Shift4 Launches Security Tool That Lets Merchants Re-Use Credit Card Data |url=http://www.internetretailer.com/internet/marketing-conference/36258-shift4-launches-security-tool-that-lets-merchants-re-use-credit-card-data.html |magazine=Internet Retailer |archive-url=https://web.archive.org/web/20150218062740/https://www.internetretailer.com/2005/10/13/shift4-launches-security-tool-that-lets-merchants-re-use-credit |archive-date=2015-02-18}}</ref> The technology is meant to prevent the theft of the credit card information in storage. Shift4 defines tokenization as: “The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In [[payment card industry]] (PCI) context, tokens are used to reference cardholder data that is managed in a tokenization system, application or off-site secure facility.”<ref>{{Cite web |url=http://www.shift4.com/pr_20080917_tokenizationindepth.cfm |title=Shift4 Corporation Releases Tokenization in Depth White Paper |access-date=2010-09-17 |archive-url=https://web.archive.org/web/20110716055923/http://www.shift4.com/pr_20080917_tokenizationindepth.cfm |archive-date=2011-07-16 |url-status=dead }}</ref>

To protect data over its full lifecycle, tokenization is often combined with [[end-to-end encryption]] to secure [[data in transit]] to the tokenization system or service, with a token replacing the original data on return. For example, to avoid the risks of [[malware]] stealing data from low-trust systems such as [[point of sale]] (POS) systems, as in the [http://www.securityweek.com/experts-debate-how-hackers-stole-40-million-card-numbers-target Target breach of 2013], cardholder data encryption must take place prior to card data entering the POS and not after. Encryption takes place within the confines of a security hardened and validated card reading device and data remains encrypted until received by the processing host, an approach pioneered by [[Heartland Payment Systems]]<ref>{{Cite web |url=http://philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf |title=Lessons Learned from a Data Breach |access-date=2014-04-01 |archive-date=2013-05-02 |archive-url=http://webarchive.loc.gov/all/20130502162448/http://www.philadelphiafed.org/consumer-credit-and-payments/payment-cards-center/publications/discussion-papers/2010/D-2010-January-Heartland-Payment-Systems.pdf |url-status=dead }}</ref> as a means to secure payment data from advanced threats, now widely adopted by industry payment processing companies and technology companies.<ref>[https://archive.today/20140401073840/http://www.eweek.com/c/a/IT-Infrastructure/Voltage-Ingencio-Partner-on-Data-Encryption-Platform-559537/ Voltage, Ingencio Partner on Data Encryption Platform]</ref> The PCI Council has also specified end-to-end encryption (certified point-to-point encryption—P2PE) for various service implementations in various [https://www.pcisecuritystandards.org/security_standards/documents.php PCI Council Point-to-point Encryption] documents.