Vaulted or Vaultless Tokens? Which is Best for Payments?

Tokens: What is a Token Vault?

A token is a non-exploitable identifier that references sensitive data. Tokens can take any shape, are safe to expose, and are easy to integrate. A token vault is a type of smart contract-based system used to securely store and manage digital tokens. It is designed to provide a layer of security and control for users by allowing vendors to use sensitive data collected from customers without ever storing it in their own domain.

A token vault typically has features such as access controls, multi-factor authentication, and the ability to track token transactions. This allows vendors to have greater control over the tokens they own, and, with additional security controls, aims to protect customer data.

Because the token vault’s purpose is to securely protect sensitive data, while making it available to authorized users, its two main goals are 

• To provide access to the data in a usable way to authorized users; and
• To protect the data from any unauthorized action

In order to access the stored sensitive data, a vendor (or, normally, a call from a related system) must not only provide the token, but also credentials that confirm their identity.

Tokenization: Vaulted or Vaultless?

The names notwithstanding, vaulted and vaultless tokenization schemes could not be more different. Vaulted systems rely upon a trusted, secure vault to collect and store sensitive user data and provide a token to the vendor. In this way, the vendor never actually has access to the sensitive data in plain text, but can access that data for approved uses, such as transmitting it to payment system to complete sales. The token held by the vendor in such a situation can never be decrypted, and the data it represents can only be accessed by completing a set of security requirements while presenting the token.

By contrast, vaultless tokenization is really another name for local encryption. The user’s sensitive data is encrypted at their end, and a token is delivered to the vendor. The vendor not only never has the user’s data in plain text, they also cannot use that data for downstream activities (like closing transactions) without interacting with the application at the user’s end. So, in the case of closing a sale, the submission of sensitive data to a PSP would need to be initiated at the user’s end.

The upside of the vaultless approach is that there is no central repository of tokens, and users can be 100% sure that no transaction will occur without their express confirmation. However, the downside is that the vendor’s ability to offer ongoing services may be hamstrung: a subscription payment, for instance, or a subsequent payment may need explicit actions from the customer’s side every time, making ongoing commercial relationships unwieldy.

Because of the extra layer of security a token vault offers during the data collection process (depositing the data in the vault then supplying the token to the vendor), vaulted tokens may have a bit of latency that vaultless tokens wouldn’t see. Vaulted tokens work great for sensitive cardholder data, especially when they are to be stored by the vendor for future re-use: they are secure, but also conveniently located for subsequent use.

On the other hand, vaultless tokens may offer a bit less latency and a bit more flexibility than vaulted tokens as they don’t have a secured vault. You could say that vaultless tokens offer the most value when data is in transit - but lose their luster when they are not usable for future transactions.

Going vaultless, then, removes a central, unignorable feature of vaulted tokens: the additional security and convenience of a secure token vault. In some instances, like PCI-DSS compliance, vendors require a secure vault if they want to allow customers to re-use their payment data, which would completely rule out vaultess tokens as a viable option.

Limitations of Vaultless Tokenization

The aforementioned limitation of vaultless tokens is worth sharing again - the additional layer of security and convenience a token vault offers leaves vaultless tokens more vulnerable and less useful long term. Should anyone need to use and protect sensitive data, like cardholder data, vaultless tokens aren’t even on the table as a choice.

Think of it this way: vaultless tokenization involves the client-side application effectively encrypting data locally, then sending a token to the requesting application. The requesting application, then, can pass the token back to the client-side application to confirm that it has rights to the data the token refers to, or to initiate a transaction from the client side - but it never actually gets access to the underlying information.

Vaultless tokenization, by its very nature, relies heavily on secure storage of the cryptographic keys used locally for tokenization. Compromised keys can render the tokens insecure and expose the original data, so robust key management practices are crucial.

Because vaultless tokenization is a relatively new approach to tokenization, it doesn’t have wide acceptance yet. Many existing systems do not yet support use of these tokens, so companies almost certainly can’t solely rely on them.

PCI Compliance Considerations

Simply stated, the Payment Card Industry Data Security Standard (PCI DSS) does not recognize vaultless tokens as a secure method to protect cardholder data, especially PANs.

This is important because a merchant cannot achieve PCI compliance by using vaultless tokens alone since a secure cardholder data environment would be required - something a token vault embodies by design. 

Therefore, anyone needing to store, secure, and use payment data would be best to steer clear of vaultless tokens and choose vaulted payment tokens instead.

How Vaulted Tokens Benefit Merchants

Vaulted tokens, especially those vaulted with a third-party tokenization provider like Basis Theory, offer secure collection, storage, and access for merchants. By owning the token, and keeping the underlying data in a non-proprietary location, merchants can use the provider to route sensitive data to the PSP of their choice, thus delivering the opportunity to optimize payment processes.

If a merchant needs to store sensitive payment data and achieve PCI compliance, a token vault can meet those requirements - while vaultless tokens do not. Securing cardholder data in a token vault with Basis Theory satisfies many PCI DSS requirements and provides companies greater control and flexibility over their payment stack. 

As a PCI Level 1 compliant service provider, Basis Theory extends an independently assessed and approved CDE to customers. Combined with a suite of configurable tools, services, and tokens, companies can collect, secure, and share credit cards without bringing their systems into scope. This approach allows companies to avoid the costs and distractions associated with 95% of the requirements in the Payment Card Industry Data Security Standard (PCI DSS) while retaining complete control over their cardholder data.