Protegrity Vaultless Tokenization

FAQ

The Tokenization Experts



Protegrity Vaultless Tokenization

Protegrity Vaultless Tokenization employs a patent-pending approach to tokenization that improves security and efficiency by eliminating the need for a token vault. By removing the token vault, it eliminates the storage of the sensitive data and tokens resulting in superior efficiencies for improved performance, security and lower total cost of ownership. Question: What is Vaultless Tokenization? Answer: Vaultless tokenization is a secure, fast, and small footprint data protection approach that delivers random, data type and length preserving tokens with no need for a token vault or database. Question: What is vault-based tokenization? Answer: Vault-based tokenization is a data protection approach that uses a large database lookup table as a means of pairing up randomly generated tokens with corresponding sensitive data. When given sensitive data, it will return a token. When given a token, it will return sensitive data.  The database is typically locked down in a “vault” and grows dynamically in direct proportion to new or unique sensitive data entering the system. The reason most people call this approach vault-based is due to the use of a large database table that metaphorically represents a vault where the sensitive data is stored and secured. Question: What’s the difference between Protegrity Vaultless Tokenization and vault-based tokenization? Answer: Both vaultless and vault-based tokenization return random, data type and length preserving tokens.  While the functionality is nearly identical, the difference is in the architecture. Protegrity’s Vaultless Tokenization approach yields many advantages over vault-based tokenization. Protegrity Vaultless Tokenization does not use an ever-growing database and/or lookup table to store sensitive data or tokens. In fact, a database table is not used in the lookup process at all. Protegrity Vaultless Tokenization uses a tiny tokenization engine that is capable of generating as many tokens as needed without growing in size and there is no need for a vault. Another significant advantage with Vaultless Tokenization is the ability to significantly reduce or eliminate financial and brand liability due to the fact that a credit card number or token is never retained or stored. Question: How does Protegrity Vaultless Tokenization work? Answer: Protegrity Vaultless Tokenization breaks up the token creation process into a set of multiple lookups. The lookups are performed on random, pre-generated, static mapping tables. The input data is traversed and the outcome is a random token that is data type and length preserving.

For more information email [email protected] or call 203.326.7200.

Page | 1

FAQ

The Tokenization Experts

Question: How does Protegrity Vaultless Tokenization perform? Answer:  Performance for Protegrity Vaultless Tokenization greatly exceeds that of vault-based tokenization. While some of today’s tokenization solutions show performance of as low as 5 tokens per second (tps) and as high as 5000 tps, Protegrity Vaultless Tokenization has been benchmarked at 200,000 tps. Even though Protegrity Vaultless Tokenization outperforms vault-based tokenization, customers are always looking to push the limits on performance to meet tight Service Level Agreements (SLAs). Performance can be enhanced through various mechanisms; 1. Each token server can accept up to 200 connections, so parallel processing can improve throughput. 2. Batch tokenization can reduce the number of round trips to and from the token server by tokenizing batches of sensitive data in a single trip. 3. Token server farms front ended by a load balancer can improve or reduce throughput by easily adding or removing token servers. Finally, the latency caused by going out to a token server can be eliminated by placing the tokenization on the database or inside the API process. This approach will not deliver a PCI out of scope condition for the database or application, but it can be leveraged with PII and PHI data. Question: Have security experts validated Vaultless Tokenization? Answer: While no tokenization standard currently exists, the vaultless tokenization method that Protegrity invented is validated and approved by Dr. Bart Preneel, professor at the Katholieke University Leuven, Belgium; the same university that invented AES, today’s gold standard for encryption.

In reference to our vaultless tokenization approach, Dr. Preneel stated “The tokenization scheme offers excellent security, since it is based on fully randomized tables. This is a fully distributed tokenization approach with no need for synchronization and there is no risk for collisions.”

“Removing the token vault from tokenization is a giant step for the data protection industry. By placing tokenization on the database and adding data types, Protegrity now offers the most complete array of Vaultless Tokenization solutions for PCI, PII, and PHI compliance.” Raul Ortega, Vice President, Corporate Strategy and Business Development, Protegrity

For more information email [email protected] or call 203.326.7200.

Page | 2

FAQ

The Tokenization Experts

Question: What other companies offer vaultless tokenization? Answer: Protegrity invented vaultless tokenization and it is the only company that currently offers it to the marketplace. Question: Answer:

Is vaultless tokenization patented? Protegrity has an extensive portfolio of patents and patents pending on both vaultless as well as vault-based tokenization.

Question: Who offers or uses vault-based tokenization? Answer: To the best of our knowledge, every company that says that they have tokenization capabilities offers or uses vault-based tokenization. Companies such as RSA, Voltage, Shift4, Intel, SafeNet, Liaison as well as most processors and gateways all use vault-based tokenization. Many companies have also implemented their own “home grown” tokenization solutions that are also vault-based.  Up until now, vault-based tokenization has been the only option. On the surface, this approach

seems simple but in reality and in practical use scenarios, it breaks down, especially with PII/PHI data. Vault-based tokenization simply cannot scale without massive infrastructure and huge costs. Question: What is the difference between encryption and tokenization? Answer: The simple difference is that encryption uses an encryption algorithm (cipher) and an encryption key, whereas tokenization is based on random data replacement using code books or token tables. However, there are some contrasts. The choice of encryption algorithm and the resulting crypto text will have an impact on applications and databases that integrate data protection. Most common encryption algorithms (AES and Triple DES) generate crypto text that is likely to have a different data type and length than the input data. When integrating this type of encryption within applications and databases, a fair amount of work will be required for the integration. Some newer encryption algorithms preserve the data type and length of the original data. These algorithms are slower than those that don’t preserve data type and length. However, having this property makes it a bit easier to integrate this type of data protection into applications or databases.

For more information email [email protected] or call 203.326.7200.

Page | 3

FAQ

The Tokenization Experts

Question: Answer:

How secure is Protegrity Vaultless Tokenization as compared to encryption? • Tokens are random numbers that are data type and length preserving.



• There is no relationship between the input data and the generated random token. This means that you can’t reverse engineer sensitive data from a token or a token from sensitive data. The only way to do this is to go through a lookup process.



• A random token is unbreakable. As we’ve seen with many recent data security breaches, an attacker can break encryption, which is implemented with an algorithm and a key.

Question: What’s the difference between vaultless tokenization, vault-based tokenization and encryption-based tokenization? Answer: There are major and important differences between vaultless, vault-based, and encryption-based tokenization.

Vault-Based

Vaultless

Encryption-based

Protection

Random Token

Random Token

Key & Cryptographic Algorithm (cipher)

Format

Data Type & Length Preserving

Data Type & Length Preserving or Non-Data Type & Length Preserving3

PCI DSS Guidance

Multi-Use1

Single-Use2

Multi-Use1

Note 1: Multi-Use tokens are described by the PCI DSS Tokenization guidelines as a form of token that can be used in many different data stores and that enables the data store to become out of scope for a PCI DSS audit. Note 2: Single-Use tokens are described by the PCI DSS Tokenization guidelines as a form of token that can only be used once. Note 3: Some encryption algorithms preserve the data type and length of the original data while others don’t. Algorithms that preserve data type and length are slower than those that don’t.

“Tokenizing payment data holds the promise of improving security while reducing auditing costs, generating great demand amongst the merchant community. Tokenization is a simple technology with a clear value proposition.” Adrian Lane, Security Analyst and CTO, Securosis

For more information email [email protected] or call 203.326.7200.

Page | 4

FAQ

The Tokenization Experts

Question: Why use Protegrity Vaultless Tokenization over vault-based tokenization? Answer: The table below highlights differences between vault-based tokenization and Protegrity Vaultless Tokenization. Requirement

Vault-based

Vaultless Tokenization

Performance

Slow due to latency.

Very fast. Option to deploy without latency.

Scalability

Hard and expensive to create redundancy. Sophisticated replication and powerful hardware required.

Easy to create redundancy. No replication required. Deployed with commodity hardware.

Total Cost of Ownership (TCO)

High TCO – Due to large database, many instances of the database, replication software, powerful hardware.

Low TCO – No replication, no database, commodity hardware.

Protection of PCI Data

Fair – with the issues stated above.

Excellent

Protection of PII Data

Fair – Satisfactory for one PII value, add values and this approach will break.

Excellent

Protection of PHI Data

Not applicable to PHI data.

Excellent

Security

Most tokenization solutions are not certified or vetted.

Vetted by Dr. Bart Preneel from the, Katholieke University Leuven, Belgium, inventors of AES.

Store and protect sensitive data (Credit Card Numbers, Social Security Numbers, e-mail addresses)

This approach requires the storage and protection of massive amounts of sensitive data in a ”a vault“.

No sensitive data or tokens are stored.

High Availability Disaster Recovery

Protegrity is a global data security provider for major corporations worldwide. Protegrity customers centrally develop, manage and control data security policy that protects sensitive information in databases, applications and file systems from the point of acquisition to deletion, across the enterprise. Protegrity’s scalable solutions give corporations the ability to implement a variety of data protection methods, including strong encryption, vaultless tokenization, masking and monitoring to ensure the protection of their sensitive data and enable compliance for PCI-DSS, HIPAA and other data security initiatives. To learn more, visit www.protegrity.com or call 203.326.7200. Copyright © 2012 Protegrity Corporation. All rights reserved. Protegrity ® is a registered trademark of Protegrity Corporation. All other trademarks are the property of their respective owners. 4/2012

Page | 5