Protegrity Vaultless Tokenization

Transcription

1 Protegrity Vaultless Tokenization Protegrity Vaultless Tokenization employs a patent-pending approach to tokenization that improves security and efficiency by eliminating the need for a token vault. By removing the token vault, it eliminates the storage of the sensitive data and tokens resulting in superior efficiencies for improved performance, security and lower total cost of ownership. What is Vaultless Tokenization? Vaultless tokenization is a secure, fast, and small footprint data protection approach that delivers random, data type and length preserving tokens with no need for a token vault or database. What is vault-based tokenization? Vault-based tokenization is a data protection approach that uses a large database lookup table as a means of pairing up randomly generated tokens with corresponding sensitive data. When given sensitive data, it will return a token. When given a token, it will return sensitive data. The database is typically locked down in a vault and grows dynamically in direct proportion to new or unique sensitive data entering the system. The reason most people call this approach vault-based is due to the use of a large database table that metaphorically represents a vault where the sensitive data is stored and secured. What s the difference between Protegrity Vaultless Tokenization and vault-based tokenization? Both vaultless and vault-based tokenization return random, data type and length preserving tokens. While the functionality is nearly identical, the difference is in the architecture. Protegrity s Vaultless Tokenization approach yields many advantages over vault-based tokenization. Protegrity Vaultless Tokenization does not use an ever-growing database and/or lookup table to store sensitive data or tokens. In fact, a database table is not used in the lookup process at all. Protegrity Vaultless Tokenization uses a tiny tokenization engine that is capable of generating as many tokens as needed without growing in size and there is no need for a vault. Another significant advantage with Vaultless Tokenization is the ability to significantly reduce or eliminate financial and brand liability due to the fact that a credit card number or token is never retained or stored. How does Protegrity Vaultless Tokenization work? Protegrity Vaultless Tokenization breaks up the token creation process into a set of multiple lookups. The lookups are performed on random, pre-generated, static mapping tables. The input data is traversed and the outcome is a random token that is data type and length preserving. Page 1

2 How does Protegrity Vaultless Tokenization perform? Performance for Protegrity Vaultless Tokenization greatly exceeds that of vault-based tokenization. While some of today s tokenization solutions show performance of as low as 5 tokens per second (tps) and as high as 5000 tps, Protegrity Vaultless Tokenization has been benchmarked at 200,000 tps. Even though Protegrity Vaultless Tokenization outperforms vault-based tokenization, customers are always looking to push the limits on performance to meet tight Service Level Agreements (SLAs). Performance can be enhanced through various mechanisms; 1. Each token server can accept up to 200 connections, so parallel processing can improve throughput. 2. Batch tokenization can reduce the number of round trips to and from the token server by tokenizing batches of sensitive data in a single trip. 3. Token server farms front ended by a load balancer can improve or reduce throughput by easily adding or removing token servers. Finally, the latency caused by going out to a token server can be eliminated by placing the tokenization on the database or inside the API process. This approach will not deliver a PCI out of scope condition for the database or application, but it can be leveraged with PII and PHI data. Have security experts validated Vaultless Tokenization? While no tokenization standard currently exists, the vaultless tokenization method that Protegrity invented is validated and approved by Dr. Bart Preneel, professor at the Katholieke University Leuven, Belgium; the same university that invented AES, today s gold standard for encryption. In reference to our vaultless tokenization approach, Dr. Preneel stated The tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions. Removing the token vault from tokenization is a giant step for the data protection industry. By placing tokenization on the database and adding data types, Protegrity now offers the most complete array of Vaultless Tokenization solutions for PCI, PII, and PHI compliance. Raul Ortega, Vice President, Corporate Strategy and Business Development, Protegrity Page 2

3 What other companies offer vaultless tokenization? Protegrity invented vaultless tokenization and it is the only company that currently offers it to the marketplace. Is vaultless tokenization patented? Protegrity has an extensive portfolio of patents and patents pending on both vaultless as well as vault-based tokenization. Who offers or uses vault-based tokenization? To the best of our knowledge, every company that says that they have tokenization capabilities offers or uses vault-based tokenization. Companies such as RSA, Voltage, Shift4, Intel, SafeNet, Liaison as well as most processors and gateways all use vault-based tokenization. Many companies have also implemented their own home grown tokenization solutions that are also vault-based. Up until now, vault-based tokenization has been the only option. On the surface, this approach seems simple but in reality and in practical use scenarios, it breaks down, especially with PII/PHI data. Vault-based tokenization simply cannot scale without massive infrastructure and huge costs. What is the difference between encryption and tokenization? The simple difference is that encryption uses an encryption algorithm (cipher) and an encryption key, whereas tokenization is based on random data replacement using code books or token tables. However, there are some contrasts. The choice of encryption algorithm and the resulting crypto text will have an impact on applications and databases that integrate data protection. Most common encryption algorithms (AES and Triple DES) generate crypto text that is likely to have a different data type and length than the input data. When integrating this type of encryption within applications and databases, a fair amount of work will be required for the integration. Some newer encryption algorithms preserve the data type and length of the original data. These algorithms are slower than those that don t preserve data type and length. However, having this property makes it a bit easier to integrate this type of data protection into applications or databases. Page 3

4 How secure is Protegrity Vaultless Tokenization as compared to encryption? Tokens are random numbers that are data type and length preserving. There is no relationship between the input data and the generated random token. This means that you can t reverse engineer sensitive data from a token or a token from sensitive data. The only way to do this is to go through a lookup process. A random token is unbreakable. As we ve seen with many recent data security breaches, an attacker can break encryption, which is implemented with an algorithm and a key. What s the difference between vaultless tokenization, vault-based tokenization and encryption-based tokenization? There are major and important differences between vaultless, vault-based, and encryption-based tokenization. Vault-Based Vaultless Encryption-based Protection Random Token Random Token Key & Cryptographic Algorithm (cipher) Format Type & Length Preserving Type & Length Preserving or Non- Type & Length Preserving 3 PCI DSS Guidance Multi-Use 1 Multi-Use 1 Single-Use 2 Note 1: Multi-Use tokens are described by the PCI DSS Tokenization guidelines as a form of token that can be used in many different data stores and that enables the data store to become out of scope for a PCI DSS audit. Note 2: Single-Use tokens are described by the PCI DSS Tokenization guidelines as a form of token that can only be used once. Note 3: Some encryption algorithms preserve the data type and length of the original data while others don t. Algorithms that preserve data type and length are slower than those that don t. Tokenizing payment data holds the promise of improving security while reducing auditing costs, generating great demand amongst the merchant community. Tokenization is a simple technology with a clear value proposition. Adrian Lane, Security Analyst and CTO, Securosis Page 4

5 Why use Protegrity Vaultless Tokenization over vault-based tokenization? The table below highlights differences between vault-based tokenization and Protegrity Vaultless Tokenization. Requirement Vault-based Vaultless Tokenization Performance Slow due to latency. Very fast. Option to deploy without latency. Scalability High Availability Disaster Recovery Total Cost of Ownership (TCO) Protection of PCI Hard and expensive to create redundancy. Sophisticated replication and powerful hardware required. High TCO Due to large database, many instances of the database, replication software, powerful hardware. Fair with the issues stated above. Easy to create redundancy. No replication required. Deployed with commodity hardware. Low TCO No replication, no database, commodity hardware. Protection of PII Protection of PHI Fair Satisfactory for one PII value, add values and this approach will break. Not applicable to PHI data. Security Store and protect sensitive data (Credit Card Numbers, Social Security Numbers, addresses) Most tokenization solutions are not certified or vetted. This approach requires the storage and protection of massive amounts of sensitive data in a a vault. Vetted by Dr. Bart Preneel from the, Katholieke University Leuven, Belgium, inventors of AES. No sensitive data or tokens are stored. Protegrity is a global data security provider for major corporations worldwide. Protegrity customers centrally develop, manage and control data security policy that protects sensitive information in databases, applications and file systems from the point of acquisition to deletion, across the enterprise. Protegrity s scalable solutions give corporations the ability to implement a variety of data protection methods, including strong encryption, vaultless tokenization, masking and monitoring to ensure the protection of their sensitive data and enable compliance for PCI-DSS, HIPAA and other data security initiatives. To learn more, visit or call Copyright 2012 Protegrity Corporation. All rights reserved. Protegrity is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners. 4/2012 Page 5