Editing Tokenization (data security) (section)

== Risk reduction ==
Tokenization can render it more difficult for attackers to gain access to sensitive data outside of the tokenization system or service. Implementation of tokenization may simplify the requirements of the [[Payment Card Industry Data Security Standard|PCI DSS]], as systems that no longer store or process sensitive data may have a reduction of applicable controls required by the PCI DSS guidelines.

As a security best practice,<ref>{{Cite web |url=https://www.owasp.org/index.php/Guide_to_Cryptography |title=OWASP Guide to Cryptography |access-date=2014-04-01 |archive-url=https://web.archive.org/web/20140407071624/https://www.owasp.org/index.php/Guide_to_Cryptography |archive-date=2014-04-07 |url-status=dead }}</ref> independent assessment and validation of any technologies used for data protection, including tokenization, must be in place to establish the security and strength of the method and implementation before any claims of privacy compliance, regulatory compliance, and data security can be made. This validation is particularly important in tokenization, as the tokens are shared externally in general use and thus exposed in high risk, low trust environments. The infeasibility of reversing a token or set of tokens to a live sensitive data must be established using industry accepted measurements and proofs by appropriate experts independent of the service or solution provider.