Encryption and tokenization are complementary strategic tools used by systems that need to protect...
An Introduction to Token Vaults
Today’s digital landscape can be hazardous for online vendors seeking to provide simple, yet fully secure, payments. Perhaps the trickiest element of securing online transactions over time is securing sensitive information. To reduce the risk of data leakage, and to repel hackers and other threats, vendors who are dedicated to the state of the art today use a combination of encryption (to protect data in motion) and tokenization (to protect data at rest).
Tokenization is the process of exchanging sensitive data for a different, unrelated, string (the token). The vendor uses that token to access and use the sensitive data in secure payment transactions, without ever exposing the plain text of the data within their environment. The use of the token instead of the data itself allows the vendor to
- Avoid acquiring regulatory obligations related to secure data storage; and
- Reduce the risk of a data leak that could expose their customers’ data
The token is stored by the vendor and cannot be ‘cracked’, or converted to the plain text of the underlying sensitive data, because it is a random string, used only to gain access to the actual data in the token vault.
The token vault, then, is the data storage location where the actual sensitive data is stored, and can be exchanged for the token. The owner and operator of the vault is responsible for security, regulatory compliance, and high-availability.
What is a token vault?
A token vault is a type of smart contract-based system used to securely store and manage digital tokens. It is designed to provide a layer of security and control for users by allowing vendors to use sensitive data collected from customers without ever storing it in their own domain.
A token vault typically has features such as access controls, multi-factor authentication, and the ability to track token transactions. This allows users to have greater control over the tokens they own, and reduce the risk of theft or loss.
What does a token vault do?
Because the token vault’s purpose is to securely protect sensitive data, while making it available to authorized users, its two main purposes are
- To provide access to the data in a usable way to authorized users; and
- To protect the data from any unauthorized action
In order to access the stored sensitive data, a user (or, normally, a call from a related system) must not only provide the token, but also credentials that confirm their identity. This is not dissimilar to a safety deposit box in a physical bank vault: to gain access, one must both demonstrate one’s identity, and additionally possess the key to unlock the box.
Who uses a token vault?
Businesses that need to use sensitive data will contract with a token service provider like Basis Theory to store that data outside their own security perimeter in order to both deliver secure service to their customers, and to reduce their own compliance and security obligations. Returning to the bank vault analogy, a physical retail store deposits its cash into a bank at the end of each day, then collects what it needs to operate its business the next morning; this eliminates the need to build their own vault, and the risk that someone will break in, crack the vault open, and make off with their money.
Just as the bank provides both a safe location to store valuables, as well as easy access to what it stores, a token vault protects and provides access to sensitive data.
What sort of data is stored in a token vault?
Sensitive data is defined differently in different geographic locations, but broadly speaking the most common types of data stored in a token vault would be
- Personally identifiable information (PII), like name and social security number
- Cardholder data (CHD) like card numbers and expiration dates
- Protected Health Information (PHI), such as medical test results
- Other personal data, which is legally defined differently around the world through statutes like GDPR, CCPA, LGPD, and the Australian Privacy Act
What sort of businesses offer token vaults?
Payment Service Providers (PSPs) generally offer what are effectively tokenization systems, with implicit token vaults. Users of Stripe, for instance, deliver collected PII directly to the Stripe system without having it pass through their systems, and hold only a token for use in future payment transactions.
PSP token vaults, however, have the disadvantage of being proprietary: the token delivered to a vendor by one PSP cannot be used to securely process a transaction through an alternative PSP. Therefore vendors who wish to have the flexibility to optimize their payment processing, to use multiple PSPs simultaneously, or to shift their business between PSPs, will opt to use a third party Token Service Provider (TSP) like Basis Theory. By owning the token, and keeping the underlying data in a non-proprietary location, they can use the TSP to route sensitive data to the PSP of their choice, thus delivering the opportunity to optimize payment processes.
A token vault operates very similarly to a safety deposit box in a bank: it provides secure storage, and convenient access, while requiring confirmation of the requestor’s identity as well as presentation of a valid token. This provides significant protection for vendors compared to storing sensitive data within their own security perimeter, dramatically reduces the risk of data breaches, and limits compliance obligations.