Editing Tokenization (data security) (section)

== System operations, limitations and evolution ==
First generation tokenization systems use a database to map from live data to surrogate substitute tokens and back. This requires the storage, management, and continuous backup for every new transaction added to the token database to avoid data loss. Another problem is ensuring consistency across data centers, requiring continuous synchronization of token databases. Significant consistency, availability and performance trade-offs, per the [[CAP theorem]], are unavoidable with this approach. This overhead adds complexity to real-time transaction processing to avoid data loss and to assure data integrity across data centers, and also limits scale. Storing all sensitive data in one service creates an attractive target for attack and compromise, and introduces privacy and legal risk in the aggregation of data [[Internet privacy]], particularly [[Data Protection Directive|in the EU]].

Another limitation of tokenization technologies is measuring the level of security for a given solution through independent validation. With the lack of standards, the latter is critical to establish the strength of tokenization offered when tokens are used for regulatory compliance. The [[Payment Card Industry Security Standards Council|PCI Council]] recommends independent vetting and validation of any claims of security and compliance: "Merchants considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their particular implementation, including all interactions with payment card data and the particular tokenization systems and processes"<ref>[https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf PCI Council Tokenization Guidelines]</ref>

The method of generating tokens may also have limitations from a security perspective. With concerns about security and attacks to [[Random number generator attack|random number generators]], which are a common choice for the generation of tokens and token mapping tables, scrutiny must be applied to ensure proven and validated methods are used versus arbitrary design.<ref>[http://blog.cryptographyengineering.com/2014/03/how-do-you-know-if-rng-is-working.html How do you know if an RNG is working?]</ref><ref>{{Cite book |last1=Gimenez |first1=Gregoire |last2=Cherkaoui |first2=Abdelkarim |last3=Frisch |first3=Raphael |last4=Fesquet |first4=Laurent |title=2017 IEEE 2nd International Verification and Security Workshop (IVSW) |chapter=Self-timed Ring based True Random Number Generator: Threat model and countermeasures |date=2017-07-01 |chapter-url=https://ieeexplore.ieee.org/document/8031541 |location=Thessaloniki, Greece |publisher=IEEE |pages=31–38 |doi=10.1109/IVSW.2017.8031541 |isbn=978-1-5386-1708-3|s2cid=10190423 }}</ref> [[Cryptographically secure pseudorandom number generator|Random-number generators]] have limitations in terms of speed, entropy, seeding and bias, and security properties must be carefully analysed and measured to avoid predictability and compromise.

With tokenization's increasing adoption, new tokenization technology approaches have emerged to remove such operational risks and complexities and to enable increased scale suited to emerging [[big data]] use cases and high performance transaction processing, especially in financial services and banking.<ref>
{{Cite web |last=Vijayan |first=Jaikumar |date=2014-02-12 |title=Banks push for tokenization standard to secure credit card payments |url=https://www.computerworld.com/article/2487635/banks-push-for-tokenization-standard-to-secure-credit-card-payments.html |access-date=2022-11-23 |website=Computerworld |language=en}}
</ref> In addition to conventional tokenization methods, Protegrity provides additional security through its so-called "obfuscation layer." This creates a barrier that prevents not only regular users from accessing information they wouldn't see but also privileged users who has access, such as database administrators.<ref>{{Cite news |last=Mark |first=S. J. |date=2018 |title=De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act}}</ref>

Stateless tokenization allows live data elements to be mapped to surrogate values randomly, without relying on a database, while maintaining the isolation properties of tokenization.

November 2014, [[American Express]] released its token service which meets the [[EMV]] tokenization standard.<ref>{{cite web |url=http://about.americanexpress.com/news/pr/2014/amex-intros-online-mobile-payment-security.aspx |title=American Express Introduces New Online and Mobile Payment Security Services |website=AmericanExpress.com |date=3 November 2014 |access-date=2014-11-04 |archive-url=https://web.archive.org/web/20141104055035/http://about.americanexpress.com/news/pr/2014/amex-intros-online-mobile-payment-security.aspx |archive-date=2014-11-04 |url-status=dead }}</ref> Other notable examples of Tokenization-based payment systems, according to the EMVCo standard, include [[Google Wallet]], [[Apple Pay]],<ref>{{Cite web |title=Apple Pay Programming Guide: About Apple Pay |url=https://developer.apple.com/library/archive/ApplePay_Guide/index.html |access-date=2022-11-23 |website=developer.apple.com}}</ref> [[Samsung Pay]], [[Microsoft Wallet]], [[Fitbit Pay]] and [[Garmin Pay]]. [[Visa Inc.|Visa]] uses tokenization techniques to provide a secure online and mobile shopping.<ref>{{Cite web |title=Visa Token Service |url=https://usa.visa.com/products/visa-token-service.html |access-date=2022-11-23 |website=usa.visa.com |language=en}}</ref>

Using blockchain, as opposed to relying on trusted third parties, it is possible to run highly accessible, tamper-resistant databases for transactions.<ref>{{Cite journal |last1=Beck |first1=Roman |last2=Avital |first2=Michel |last3=Rossi |first3=Matti |last4=Thatcher |first4=Jason Bennett |date=2017-12-01 |title=Blockchain Technology in Business and Information Systems Research |journal=Business & Information Systems Engineering |language=en |volume=59 |issue=6 |pages=381–384 |doi=10.1007/s12599-017-0505-1 |s2cid=3493388 |issn=1867-0202|doi-access=free }}</ref><ref>{{Cite news |last1=Çebi |first1=F. |last2=Bolat |first2=H.B. |last3=Atan |first3=T. |last4=Erzurumlu |first4=Ö. Y. |date=2021 |title=International Engineering and Technology Management Summit 2021–ETMS2021 Proceeding Book |publisher=İstanbul Technical University & Bahçeşehir University |isbn=978-975-561-522-6}}</ref> With help of blockchain, tokenization is the process of converting the value of a tangible or intangible asset into a token that can be exchanged on the network.

This enables the tokenization of conventional financial assets, for instance, by transforming rights into a digital token backed by the asset itself using blockchain technology.<ref name=":2">{{Cite journal |last1=Morrow |last2=Zarrebini |date=2019-10-22 |title=Blockchain and the Tokenization of the Individual: Societal Implications |journal=Future Internet |language=en |volume=11 |issue=10 |pages=220 |doi=10.3390/fi11100220 |issn=1999-5903|doi-access=free }}</ref> Besides that, tokenization enables the simple and efficient compartmentalization and management of data across multiple users. Individual tokens created through tokenization can be used to split ownership and partially resell an asset.<ref>{{Cite journal |last1=Tian |first1=Yifeng |last2=Lu |first2=Zheng |last3=Adriaens |first3=Peter |last4=Minchin |first4=R. Edward |last5=Caithness |first5=Alastair |last6=Woo |first6=Junghoon |date=2020 |title=Finance infrastructure through blockchain-based tokenization |url=https://link.springer.com/10.1007/s42524-020-0140-2 |journal=Frontiers of Engineering Management |language=en |volume=7 |issue=4 |pages=485–499 |doi=10.1007/s42524-020-0140-2 |s2cid=226335872 |issn=2095-7513|url-access=subscription }}</ref><ref>{{Cite journal |last1=Ross |first1=Omri |last2=Jensen |first2=Johannes Rude |last3=Asheim |first3=Truls |date=2019-11-16 |title=Assets under Tokenization |url=https://papers.ssrn.com/abstract=3488344 |journal= |language=en |location=Rochester, NY |doi=10.2139/ssrn.3488344|ssrn=3488344 |s2cid=219366539 |url-access=subscription }}</ref> Consequently, only entities with the appropriate token can access the data.<ref name=":2" />

Numerous [[blockchain]] companies support asset tokenization. In 2019, [[eToro]] acquired Firmo and renamed as eToroX. Through its Token Management Suite, which is backed by USD-pegged stablecoins, eToroX enables asset tokenization.<ref>{{Cite web |last=Tabatabai |first=Arman |date=2019-03-25 |title=Social investment platform eToro acquires smart contract startup Firmo |url=https://techcrunch.com/2019/03/25/social-investment-platform-etoro-acquires-smart-contract-startup-firmo/ |access-date=2022-11-23 |website=TechCrunch |language=en-US}}</ref><ref>{{Cite web |title=eToroX Names Omri Ross Chief Blockchain Scientist |url=https://www.financemagnates.com/executives/moves/etorox-names-firmo-ceo-omri-ross-chief-blockchain-scientist/ |access-date=2022-11-23 |website=Financial and Business News {{!}} Finance Magnates |date=27 March 2019 |language=en}}</ref>

The tokenization of equity is facilitated by STOKR, a platform that links investors with small and medium-sized businesses. Tokens issued through the STOKR platform are legally recognized as transferable securities under European Union capital market regulations.<ref name=":3">{{Cite journal |last=Sazandrishvili |first=George |date=2020 |title=Asset tokenization in plain English |url=https://onlinelibrary.wiley.com/doi/10.1002/jcaf.22432 |journal=Journal of Corporate Accounting & Finance |language=en |volume=31 |issue=2 |pages=68–73 |doi=10.1002/jcaf.22432 |s2cid=213916347 |issn=1044-8136|url-access=subscription }}</ref>

Breakers enable tokenization of intellectual property, allowing content creators to issue their own digital tokens. Tokens can be distributed to a variety of project participants. Without intermediaries or governing body, content creators can integrate reward-sharing features into the token.<ref name=":3" />