The concept of tokenization has been around for a long time. A simple example of tokenization is the case number in a criminal investigation. The case number itself is a token -- simply a piece of data that symbolizes or is used to reference another piece of data, which in this instance includes the details and notes about an investigation. A properly implemented token is not related in any way to the original data other than by reference.
Tokenization was developed initially by Shift4 Corp. and has been around since 2005. Although it can be used with any kind of sensitive data, such as medical information, it was developed specifically to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Sensitive card and transaction data is safely stored in a separate location, be it a different database, application or off-site data warehouse, and is referenced by a unique identifier. On the basis that you can't steal what's not there, it looks to be an exciting development in digital data security
There are implementation issues that need to be considered, though, and to answer your question, you still need encryption in my opinion. In order to replace any data with a token, you first need to process it, meaning the information needs to be transmitted to the data storage facility, so your security rests on the encryption of your communication channel. To avoid a man-in-the-middle interception or other type of attack, you need to use SSL with digital certificates at both the transmitting and receiving ends. The central storage location in a tokenization product needs to be ultra secure and use encryption as part of its defense in depth. It, and any company providing credit card tokenization services, certainly represents a single point of failure and an attractive target for hackers. Admittedly, the recovery of any data from tokens would require detailed technical knowledge of the system as well as a privileged level of access, but an insider could certainly pose a significant threat.
Tokenization does make it more difficult for hackers to gain access to sensitive data and is becoming a popular means of bolstering the security of electronic transactions. The all-important card data isn't stored on the merchant's point-of-sale equipment, making them PCI DSS compliant. But if the token could be used like a credit card number, it probably wouldn't meet the security standard; implementation is key. Also, banks have already spent a lot of money on alternative solutions so they may not be willing to abandon them in favor of this relatively new approach. If it really proves its worth, tokenization may become a data-security standard. Being cynical, the major card brands may not be too keen on it, given that they generate revenues by charging data security fees to their merchant customers.
This was first published in September 2009