The concept of tokenization has been around for a long time. A simple example of tokenization is the case number...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
in a criminal investigation. The case number itself is a token -- simply a piece of data that symbolizes or is used to reference another piece of data, which in this instance includes the details and notes about an investigation. A properly implemented token is not related in any way to the original data other than by reference.
Tokenization was developed initially by Shift4 Corp. and has been around since 2005. Although it can be used with any kind of sensitive data, such as medical information, it was developed specifically to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Sensitive card and transaction data is safely stored in a separate location, be it a different database, application or off-site data warehouse, and is referenced by a unique identifier. On the basis that you can't steal what's not there, it looks to be an exciting development in digital data security
There are implementation issues that need to be considered, though, and to answer your question, you still need encryption in my opinion. In order to replace any data with a token, you first need to process it, meaning the information needs to be transmitted to the data storage facility, so your security rests on the encryption of your communication channel. To avoid a man-in-the-middle interception or other type of attack, you need to use SSL with digital certificates at both the transmitting and receiving ends. The central storage location in a tokenization product needs to be ultra secure and use encryption as part of its defense in depth. It, and any company providing credit card tokenization services, certainly represents a single point of failure and an attractive target for hackers. Admittedly, the recovery of any data from tokens would require detailed technical knowledge of the system as well as a privileged level of access, but an insider could certainly pose a significant threat.
Tokenization does make it more difficult for hackers to gain access to sensitive data and is becoming a popular means of bolstering the security of electronic transactions. The all-important card data isn't stored on the merchant's point-of-sale equipment, making them PCI DSS compliant. But if the token could be used like a credit card number, it probably wouldn't meet the security standard; implementation is key. Also, banks have already spent a lot of money on alternative solutions so they may not be willing to abandon them in favor of this relatively new approach. If it really proves its worth, tokenization may become a data-security standard. Being cynical, the major card brands may not be too keen on it, given that they generate revenues by charging data security fees to their merchant customers.
Dig Deeper on Database Security Management
Related Q&A from Michael Cobb
What is BGP hijacking or IP hijacking and how do cybercriminals pull off the attacks? Expert Michael Cobb explains how enterprises can mitigate these...continue reading
Is the Dell eDellRoot security threat a serious problem and, if so, can it be prevented with self-signed root certificate authorities? Expert Michael...continue reading
What does FIPS 140-2 Level 2 certification for devices cover? Expert Michael Cobb explains the FIPS 140-2 security standard and how vendors use it in...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.