Tokenisation Explained: What Is Tokenization & Why Use It?
Tokenisation involves protecting sensitive, private information with something scrambled, which users call a token. Tokens can't be unscrambled and returned to their original state. Instead, a token works as a replacement for the original data.
The banking sector leans heavily on tokenisation, as regulatory agencies require it. But you might also replace important information, such as Social Security numbers, with tokens to protect them from hackers.
Most hackers truly hate tokens too. If they manage to steal them, which hackers often do, tokens are completely worthless.
A Quick History of Tokenization
We've used tokens to replace valuables for years. If you've ever exchanged money for chips in a casino, you've used tokens. But tokens entered the digital age in the early 2000s, and when we're talking about computers, tokens have a slightly different meaning.
In the late 1990s, websites stored critical information on their servers. If you filled out a job application, for example, you might have used a form that asked for these things:
- Legal name
- Social Security number
- Phone number
- Bank account number (for a credit check)
The company stored all of this data. If you ever wanted to apply for a different job, everything was preloaded.
If hackers moved past protections, they could enter databases and walk away with all kinds of important data about who you are and what you have.
In 2001, TrustCommerce released tokens. Companies could collect banking information from their clients for recurrent payments, but the system would release a token that linked the account with the user for repeat transactions. Rather than exchanging vital information out in the open, over and over, a token would keep those secondary purchases secure.
Since that time, tokenisation has moved into the mainstream. The technology hasn't changed dramatically. Companies still create tokens in much the same way, and they store them in a similar manner too. But the use of tokens has become widespread.
How Does Tokenization Work?
Tokenisation involves transforming valuable, usable data into something that is still useful but much harder to steal.
Two main token types are recognised by the World Bank.
- Front end: People create these tokens when they sign up for an online service. These tokens can be problematic, as they require users to both understand how tokens work and how to create one.
- Back end: A system creates tokens automatically. Tokenisation happens before identifiers are shared with other systems.
Whether you create a token or someone does it for you, a few simple steps are required.
- Token creation: No algorithm or computer program scrambles the data. Instead, your token might involve replacing a few numbers or letters based on rules the system created. Or your token might come from a spreadsheet of available numbers and letters. Yours is just the next in line.
- Replacement: Your token works as a substitute for the original, sensitive data. You'll never enter it again, and the system will never push it through online channels.
- Storage: Your sensitive data is scrambled (usually with encryption) and stored in a vault.
Let's consider buying something online with a token. When you signed up for the service, the website took your information and issued a token that sits in your phone. When you use the app to make another order, the token completes the transaction, and your account information remains in the vault.
The PCI Security Council releases security guidelines companies should follow as they make, store, and use tokens. But there's plenty of room for innovation. Some companies create their own proprietary token solutions to protect customer data.
Creating and storing tokens is arguably more complicated than simply storing original values. But for many companies, tokenisation is a critical business practice.
Benefits of tokens include:
- Enhanced security. Hackers are clever, and if they launch man-in-the-middle attacks, they can intercept valuable information as it moves through the internet. Since tokens are worthless and impossible to decrypt, they can stop an attack before it starts.
- Speed. Tokens can allow for automation, which makes completing transactions quicker. In industries such as blockchain, this is an important benefit.
- Regulatory compliance. In some industries, such as health care, companies are required to prove that they protect sensitive data. Using tokens may be a useful way to check this particular box. In financial sectors, using tokens is required by the Payment Card Industry Council too, so companies that don't use them could face fines.
Encryption vs Tokenization
You need to protect data from hackers, and tokens seem ideal. Don't forget that encryption may also be useful, and for some companies, encrypting data is better than swapping it out for a token.
Encryption works by putting raw data through an algorithm. A key reverses the process. Some systems use the same key for encryption and decryption, and others use a mathematically linked pair of keys (one public, one private) for encryption and decryption.
Tokenisation is different, as no keys are produced. A recipient of a message can't decrypt a token and get back to the original data. The recipient uses the token instead of the original value.
Can be decoded/decrypted
Yes, with either a public or private key (depending on the encryption type)
Not without gaining access to the vault of stored data
If stolen, thieves can use the data
Yes, if they can decrypt it
Not without gaining access to the vault of stored data
No, it must be decrypted first
Yes, it works as a replacement for the data
Works with entire files and folders
No, it only works with structured fields
Limits of Tokenization
Some companies have no choice but to use tokens. But if you do have a choice, it's useful to understand the limits of the technology.
For example, tokenisation implementation is complex. Many different companies are involved in token solutions, and they don't always work well with one another. You might contract with one token company just to find that they won't interface with another solution you're already using.
Tokens also don't provide complete security. You must also ensure that the data within your vault is protected from thieves. You could use encryption to do that work, but if you assume tokens provide all the help you need, you could be exposing your customers to real risks.
Help From Okta
Protecting customer privacy is critical, especially if you've storing information on the cloud. But determining what tools you need and then setting them up properly isn't always easy.
Let us help. Find out how Okta can help you protect data at rest and in motion.
Features: Recurring Billing. (April 2001). Internet Archive.
Tokenisation. The World Bank.
Tokenisation Product Security Guidelines. (April 2015). PCI Security Standards Council.
What Is Tokenization, and Why Is It So Important? (August 2019). Forbes.
Encryption vs Tokenization: Under the Hood. (September 2010). Tech News World.
Tokenisation vs Encryption: Which Is Better for Protecting Critical Data? (December 2020). eSecurity Planet.
Choosing Tokenization or Encryption. (May 2019). ISSA Journal.