Tokenization (data security)

Last updated
This is a simplified example of how mobile payment tokenization commonly works via a mobile phone application with a credit card. Methods other than fingerprint scanning or PIN-numbers can be used at a payment terminal. How mobile payment tokenization works.png
This is a simplified example of how mobile payment tokenization commonly works via a mobile phone application with a credit card. Methods other than fingerprint scanning or PIN-numbers can be used at a payment terminal.

Tokenization, when applied to data security, is the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token, that has no intrinsic or exploitable meaning or value. The token is a reference (i.e. identifier) that maps back to the sensitive data through a tokenization system. The mapping from original data to a token uses methods that render tokens infeasible to reverse in the absence of the tokenization system, for example using tokens created from random numbers. [3] A one-way cryptographic function is used to convert the original data into tokens, making it difficult to recreate the original data without obtaining entry to the tokenization system's resources. [4] To deliver such services, the system maintains a vault database of tokens that are connected to the corresponding sensitive data. Protecting the system vault is vital to the system, and improved processes must be put in place to offer database integrity and physical security. [5]

Contents

The tokenization system must be secured and validated using security best practices [6] applicable to sensitive data protection, secure storage, audit, authentication and authorization. The tokenization system provides data processing applications with the authority and interfaces to request tokens, or detokenize back to sensitive data.

The security and risk reduction benefits of tokenization require that the tokenization system is logically isolated and segmented from data processing systems and applications that previously processed or stored sensitive data replaced by tokens. Only the tokenization system can tokenize data to create tokens, or detokenize back to redeem sensitive data under strict security controls. The token generation method must be proven to have the property that there is no feasible means through direct attack, cryptanalysis, side channel analysis, token mapping table exposure or brute force techniques to reverse tokens back to live data.

Replacing live data with tokens in systems is intended to minimize exposure of sensitive data to those applications, stores, people and processes, reducing risk of compromise or accidental exposure and unauthorized access to sensitive data. Applications can operate using tokens instead of live data, with the exception of a small number of trusted applications explicitly permitted to detokenize when strictly necessary for an approved business purpose. Tokenization systems may be operated in-house within a secure isolated segment of the data center, or as a service from a secure service provider.

Tokenization may be used to safeguard sensitive data involving, for example, bank accounts, financial statements, medical records, criminal records, driver's licenses, loan applications, stock trades, voter registrations, and other types of personally identifiable information (PII). Tokenization is often used in credit card processing. The PCI Council defines tokenization as "a process by which the primary account number (PAN) is replaced with a surrogate value called a token. A PAN may be linked to a reference number through the tokenization process. In this case, the merchant simply has to retain the token and a reliable third party controls the relationship and holds the PAN. The token may be created independently of the PAN, or the PAN can be used as part of the data input to the tokenization technique. The communication between the merchant and the third-party supplier must be secure to prevent an attacker from intercepting to gain the PAN and the token. [7]

De-tokenization [8] is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value". [9] The choice of tokenization as an alternative to other techniques such as encryption will depend on varying regulatory requirements, interpretation, and acceptance by respective auditing or assessment entities. This is in addition to any technical, architectural or operational constraint that tokenization imposes in practical use.

Concepts and origins

The concept of tokenization, as adopted by the industry today, has existed since the first currency systems emerged centuries ago as a means to reduce risk in handling high value financial instruments by replacing them with surrogate equivalents. [10] [11] [12] In the physical world, coin tokens have a long history of use replacing the financial instrument of minted coins and banknotes. In more recent history, subway tokens and casino chips found adoption for their respective systems to replace physical currency and cash handling risks such as theft. Exonumia and scrip are terms synonymous with such tokens.

In the digital world, similar substitution techniques have been used since the 1970s as a means to isolate real data elements from exposure to other data systems. In databases for example, surrogate key values have been used since 1976 to isolate data associated with the internal mechanisms of databases and their external equivalents for a variety of uses in data processing. [13] [14] More recently, these concepts have been extended to consider this isolation tactic to provide a security mechanism for the purposes of data protection.

In the payment card industry, tokenization is one means of protecting sensitive cardholder data in order to comply with industry standards and government regulations. [15]

Tokenization was applied to payment card data by Shift4 Corporation [16] and released to the public during an industry Security Summit in Las Vegas, Nevada in 2005. [17] The technology is meant to prevent the theft of the credit card information in storage. Shift4 defines tokenization as: “The concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data. In payment card industry (PCI) context, tokens are used to reference cardholder data that is managed in a tokenization system, application or off-site secure facility.” [18]

To protect data over its full lifecycle, tokenization is often combined with end-to-end encryption to secure data in transit to the tokenization system or service, with a token replacing the original data on return. For example, to avoid the risks of malware stealing data from low-trust systems such as point of sale (POS) systems, as in the Target breach of 2013, cardholder data encryption must take place prior to card data entering the POS and not after. Encryption takes place within the confines of a security hardened and validated card reading device and data remains encrypted until received by the processing host, an approach pioneered by Heartland Payment Systems [19] as a means to secure payment data from advanced threats, now widely adopted by industry payment processing companies and technology companies. [20] The PCI Council has also specified end-to-end encryption (certified point-to-point encryption—P2PE) for various service implementations in various PCI Council Point-to-point Encryption documents.

The tokenization process

The process of tokenization consists of the following steps:

Tokenization systems share several components according to established standards.

  1. Token Generation is the process of producing a token using any means, such as mathematically reversible cryptographic functions based on strong encryption algorithms and key management mechanisms, one-way nonreversible cryptographic functions (e.g., a hash function with strong, secret salt), or assignment via a randomly generated number. Random Number Generator (RNG) techniques are often the best choice for generating token values.
  2. Token Mapping – this is the process of assigning the created token value to its original value. To enable permitted look-ups of the original value using the token as the index, a secure cross-reference database must be constructed.
  3. Token Data Store – this is a central repository for the Token Mapping process that holds the original values as well as the related token values after the Token Generation process. On data servers, sensitive data and token values must be securely kept in encrypted format.
  4. Encrypted Data Storage – this is the encryption of sensitive data while it is in transit.
  5. Management of Cryptographic Keys. Strong key management procedures are required for sensitive data encryption on Token Data Stores. [22]

Difference from encryption

Tokenization and “classic” encryption effectively protect data if implemented properly, and a computer security system may use both. While similar in certain regards, tokenization and classic encryption differ in a few key aspects. Both are cryptographic data security methods and they essentially have the same function, however they do so with differing processes and have different effects on the data they are protecting.

Tokenization is a non-mathematical approach that replaces sensitive data with non-sensitive substitutes without altering the type or length of data. This is an important distinction from encryption because changes in data length and type can render information unreadable in intermediate systems such as databases. Tokenized data can still be processed by legacy systems which makes tokenization more flexible than classic encryption.

In many situations, the encryption process is a constant consumer of processing power, hence such a system needs significant expenditures in specialized hardware and software. [4]

Another difference is that tokens require significantly less computational resources to process. With tokenization, specific data is kept fully or partially visible for processing and analytics while sensitive information is kept hidden. This allows tokenized data to be processed more quickly and reduces the strain on system resources. This can be a key advantage in systems that rely on high performance.

In comparison to encryption, tokenization technologies reduce time, expense, and administrative effort while enabling teamwork and communication. [4]

Types of tokens

There are many ways that tokens can be classified however there is currently no unified classification. Tokens can be: single or multi-use, cryptographic or non-cryptographic, reversible or irreversible, authenticable or non-authenticable, and various combinations thereof.

In the context of payments, the difference between high and low value tokens plays a significant role.

High-value tokens (HVTs)

HVTs serve as surrogates for actual PANs in payment transactions and are used as an instrument for completing a payment transaction. In order to function, they must look like actual PANs. Multiple HVTs can map back to a single PAN and a single physical credit card without the owner being aware of it. Additionally, HVTs can be limited to certain networks and/or merchants whereas PANs cannot.

HVTs can also be bound to specific devices so that anomalies between token use, physical devices, and geographic locations can be flagged as potentially fraudulent. HVT blocking enhances efficiency by reducing computational costs while maintaining accuracy and reducing record linkage as it reduces the number of records that are compared. [23]

Low-value tokens (LVTs) or security tokens

LVTs also act as surrogates for actual PANs in payment transactions, however they serve a different purpose. LVTs cannot be used by themselves to complete a payment transaction. In order for an LVT to function, it must be possible to match it back to the actual PAN it represents, albeit only in a tightly controlled fashion. Using tokens to protect PANs becomes ineffectual if a tokenization system is breached, therefore securing the tokenization system itself is extremely important.

System operations, limitations and evolution

First generation tokenization systems use a database to map from live data to surrogate substitute tokens and back. This requires the storage, management, and continuous backup for every new transaction added to the token database to avoid data loss. Another problem is ensuring consistency across data centers, requiring continuous synchronization of token databases. Significant consistency, availability and performance trade-offs, per the CAP theorem, are unavoidable with this approach. This overhead adds complexity to real-time transaction processing to avoid data loss and to assure data integrity across data centers, and also limits scale. Storing all sensitive data in one service creates an attractive target for attack and compromise, and introduces privacy and legal risk in the aggregation of data Internet privacy, particularly in the EU.

Another limitation of tokenization technologies is measuring the level of security for a given solution through independent validation. With the lack of standards, the latter is critical to establish the strength of tokenization offered when tokens are used for regulatory compliance. The PCI Council recommends independent vetting and validation of any claims of security and compliance: "Merchants considering the use of tokenization should perform a thorough evaluation and risk analysis to identify and document the unique characteristics of their particular implementation, including all interactions with payment card data and the particular tokenization systems and processes" [24]

The method of generating tokens may also have limitations from a security perspective. With concerns about security and attacks to random number generators, which are a common choice for the generation of tokens and token mapping tables, scrutiny must be applied to ensure proven and validated methods are used versus arbitrary design. [25] [26] Random-number generators have limitations in terms of speed, entropy, seeding and bias, and security properties must be carefully analysed and measured to avoid predictability and compromise.

With tokenization's increasing adoption, new tokenization technology approaches have emerged to remove such operational risks and complexities and to enable increased scale suited to emerging big data use cases and high performance transaction processing, especially in financial services and banking. [27] In addition to conventional tokenization methods, Protegrity provides additional security through its so-called "obfuscation layer." This creates a barrier that prevents not only regular users from accessing information they wouldn't see but also privileged users who has access, such as database administrators. [28]

Stateless tokenization allows live data elements to be mapped to surrogate values randomly, without relying on a database, while maintaining the isolation properties of tokenization.

November 2014, American Express released its token service which meets the EMV tokenization standard. [29] Other notable examples of Tokenization-based payment systems, according to the EMVCo standard, include Google Wallet, Apple Pay, [30] Samsung Pay, Microsoft Wallet, Fitbit Pay and Garmin Pay. Visa uses tokenization techniques to provide a secure online and mobile shopping. [31]

Using blockchain, as opposed to relying on trusted third parties, it is possible to run highly accessible, tamper-resistant databases for transactions. [32] [33] With help of blockchain, tokenization is the process of converting the value of a tangible or intangible asset into a token that can be exchanged on the network.

This enables the tokenization of conventional financial assets, for instance, by transforming rights into a digital token backed by the asset itself using blockchain technology. [34] Besides that, tokenization enables the simple and efficient compartmentalization and management of data across multiple users. Individual tokens created through tokenization can be used to split ownership and partially resell an asset. [35] [36] Consequently, only entities with the appropriate token can access the data. [34]

Numerous blockchain companies support asset tokenization. In 2019, eToro acquired Firmo and renamed as eToroX. Through its Token Management Suite, which is backed by USD-pegged stablecoins, eToroX enables asset tokenization. [37] [38]

The tokenization of equity is facilitated by STOKR, a platform that links investors with small and medium-sized businesses. Tokens issued through the STOKR platform are legally recognized as transferable securities under European Union capital market regulations. [39]

Breakers enable tokenization of intellectual property, allowing content creators to issue their own digital tokens. Tokens can be distributed to a variety of project participants. Without intermediaries or governing body, content creators can integrate reward-sharing features into the token. [39]

Application to alternative payment systems

Building an alternate payments system requires a number of entities working together in order to deliver near field-communication (NFC) or other technology based payment services to the end users. One of the issues is the interoperability between the players and to resolve this issue the role of trusted service manager (TSM) is proposed to establish a technical link between mobile network operators (MNO) and providers of services, so that these entities can work together. Tokenization can play a role in mediating such services.

Tokenization as a security strategy lies in the ability to replace a real card number with a surrogate (target removal) and the subsequent limitations placed on the surrogate card number (risk reduction). If the surrogate value can be used in an unlimited fashion or even in a broadly applicable manner, the token value gains as much value as the real credit card number. In these cases, the token may be secured by a second dynamic token that is unique for each transaction and also associated to a specific payment card. Example of dynamic, transaction-specific tokens include cryptograms used in the EMV specification.

Application to PCI DSS standards

The Payment Card Industry Data Security Standard, an industry-wide set of guidelines that must be met by any organization that stores, processes, or transmits cardholder data, mandates that credit card data must be protected when stored. [40] Tokenization, as applied to payment card data, is often implemented to meet this mandate, replacing credit card and ACH numbers in some systems with a random value or string of characters. [41] Tokens can be formatted in a variety of ways. [42] Some token service providers or tokenization products generate the surrogate values in such a way as to match the format of the original sensitive data. In the case of payment card data, a token might be the same length as a Primary Account Number (bank card number) and contain elements of the original data such as the last four digits of the card number. When a payment card authorization request is made to verify the legitimacy of a transaction, a token might be returned to the merchant instead of the card number, along with the authorization code for the transaction. The token is stored in the receiving system while the actual cardholder data is mapped to the token in a secure tokenization system. Storage of tokens and payment card data must comply with current PCI standards, including the use of strong cryptography. [43]

Standards (ANSI, the PCI Council, Visa, and EMV)

Tokenization is currently in standards definition in ANSI X9 as X9.119 Part 2. X9 is responsible for the industry standards for financial cryptography and data protection including payment card PIN management, credit and debit card encryption and related technologies and processes. The PCI Council has also stated support for tokenization in reducing risk in data breaches, when combined with other technologies such as Point-to-Point Encryption (P2PE) and assessments of compliance to PCI DSS guidelines. [44] Visa Inc. released Visa Tokenization Best Practices [45] for tokenization uses in credit and debit card handling applications and services. In March 2014, EMVCo LLC released its first payment tokenization specification for EMV. [46] PCI DSS is the most frequently utilized standard for Tokenization systems used by payment industry players. [22]

Risk reduction

Tokenization can render it more difficult for attackers to gain access to sensitive data outside of the tokenization system or service. Implementation of tokenization may simplify the requirements of the PCI DSS, as systems that no longer store or process sensitive data may have a reduction of applicable controls required by the PCI DSS guidelines.

As a security best practice, [47] independent assessment and validation of any technologies used for data protection, including tokenization, must be in place to establish the security and strength of the method and implementation before any claims of privacy compliance, regulatory compliance, and data security can be made. This validation is particularly important in tokenization, as the tokens are shared externally in general use and thus exposed in high risk, low trust environments. The infeasibility of reversing a token or set of tokens to a live sensitive data must be established using industry accepted measurements and proofs by appropriate experts independent of the service or solution provider.

Restrictions on token use

Not all organizational data can be tokenized, and needs to be examined and filtered.

When databases are utilized on a large scale, they expand exponentially, causing the search process to take longer, restricting system performance, and increasing backup processes. A database that links sensitive information to tokens is called a vault. With the addition of new data, the vault's maintenance workload increases significantly.

For ensuring database consistency, token databases need to be continuously synchronized.

Apart from that, secure communication channels must be built between sensitive data and the vault so that data is not compromised on the way to or from storage. [4]

See also

Related Research Articles

<span class="mw-page-title-main">Smart card</span> Pocket-sized card with authentication circuitry

A smart card (SC), chip card, or integrated circuit card, is a card used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations.

A personal identification number is a numeric passcode used in the process of authenticating a user accessing a system.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

3-D Secure is a protocol designed to be an additional security layer for online credit and debit card transactions. The name refers to the "three domains" which interact using the protocol: the merchant/acquirer domain, the issuer domain, and the interoperability domain.

The Payment Card Industry Data Security Standard is an information security standard used to handle credit cards from major card brands. The standard is administered by the Payment Card Industry Security Standards Council, and its use is mandated by the card brands. It was created to better control cardholder data and reduce credit card fraud. Validation of compliance is performed annually or quarterly with a method suited to the volume of transactions:

A payment card number, primary account number (PAN), or simply a card number, is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situations the card number is referred to as a bank card number. The card number is primarily a card identifier and may not directly identify the bank account number(s) to which the card is/are linked by the issuing entity. The card number prefix identifies the issuer of the card, and the digits that follow are used by the issuing entity to identify the cardholder as a customer and which is then associated by the issuing entity with the customer's designated bank accounts. In the case of stored-value type cards, the association with a particular customer is only made if the prepaid card is reloadable. Card numbers are allocated in accordance with ISO/IEC 7812. The card number is typically embossed on the front of a payment card, and is encoded on the magnetic stripe and chip, but may also be imprinted on the back of the card.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

A payment processor is a system that enables financial transactions, commonly employed by a merchant, to handle transactions with customers from various channels such as credit cards and debit cards or bank accounts. They are usually broken down into two types: front-end and back-end.

<span class="mw-page-title-main">Linoma Software</span>

Linoma Software was a developer of secure managed file transfer and IBM i software solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's software products to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's software runs on a variety of platforms including Windows, Linux, UNIX, IBM i, AIX, Solaris, HP-UX and Mac OS X.

ISO 9564 is an international standard for personal identification number (PIN) management and security in financial services.

<span class="mw-page-title-main">Card security code</span> Security feature on payment cards

A card security code is a series of numbers that, in addition to the bank card number, is printed on a credit or debit card. The CSC is used as a security feature for card not present transactions, where a personal identification number (PIN) cannot be manually entered by the cardholder. It was instituted to reduce the incidence of credit card fraud. Unlike the card number, the CSC is deliberately not embossed, so that it is not read when using a mechanical credit card imprinter which will only pick up embossed numbers.

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card data and information into indecipherable code at the time the card is swiped, in order to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment. There also exist payment solutions based on end-to-end encryption, implying the highest level of confidentiality for the transferred data.

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

A cryptocurrency wallet is a device, physical medium, program or an online service which stores the public and/or private keys for cryptocurrency transactions. In addition to this basic function of storing the keys, a cryptocurrency wallet more often offers the functionality of encrypting and/or signing information. Signing can for example result in executing a smart contract, a cryptocurrency transaction, identification, or legally signing a 'document'.

The IBM 4768 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4769 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The Four Corners model, often referred to as the Four Party Scheme is the most used card scheme in card payment systems worldwide. This model was introduced in the 1990s. It is a user-friendly card payment system based on an interbank clearing system and economic model established on multilateral interchange fees (MIF) paid between banks or other payment institutions.

Colored Coins is an open-source protocol that allows users to represent and manipulate immutable digital resources on top of Bitcoin transactions. They are a class of methods for representing and maintaining real-world assets on the Bitcoin blockchain, which may be used to establish asset ownership. Colored coins are bitcoins with a mark on them that specifies what they may be used for. Colored coins have also been considered a precursor to NFTs.

References

  1. "Tokenization demystified". IDEMIA. 2017-09-19. Archived from the original on 2018-01-26. Retrieved 2018-01-26.
  2. "Payment Tokenization Explained". Square. 8 October 2014. Archived from the original on 2018-01-02. Retrieved 2018-01-26.
  3. CardVault: "Tokenization 101"
  4. 1 2 3 4 Ogigau-Neamtiu, F. (2016). "Tokenization as a data security technique". Regional Department of Defense Resources Management Studies. Zeszyty Naukowe AON. 2 (103). Brasov, Romania: Akademia Sztuki Wojennej: 124–135. ISSN   0867-2245.
  5. Ogîgău-Neamţiu, F. (2017). "Automating the data security process". Journal of Defense Resources Management (JoDRM). 8 (2).
  6. "OWASP Top Ten Project". Archived from the original on 2019-12-01. Retrieved 2014-04-01.
  7. Stapleton, J.; Poore, R. S. (2011). "Tokenization and other methods of security for cardholder data". Information Security Journal: A Global Perspective. 20 (2): 91–99. doi:10.1080/19393555.2011.560923. S2CID   46272415.
  8. Y., Habash, Nizar (2010). Introduction to Arabic natural language processing. Morgan & Claypool. ISBN   978-1-59829-796-6. OCLC   1154286658.{{cite book}}: CS1 maint: multiple names: authors list (link)
  9. PCI DSS Tokenization Guidelines
  10. Rolfe, Alex (May 2015). "The fall and rise of Tokenization" . Retrieved 27 September 2022.
  11. Xu, Xiwei; Pautasso, Cesare; Zhu, Liming; Lu, Qinghua; Weber, Ingo (2018-07-04). "A Pattern Collection for Blockchain-based Applications". Proceedings of the 23rd European Conference on Pattern Languages of Programs. EuroPLoP '18. New York, NY, USA: Association for Computing Machinery. pp. 1–20. doi:10.1145/3282308.3282312. ISBN   978-1-4503-6387-7. S2CID   57760415.
  12. Millmore, B.; Foskolou, V.; Mondello, C.; Kroll, J.; Upadhyay, S.; Wilding, D. "Tokens: Culture, Connections, Communities: Final Programme" (PDF). The University of Warwick.
  13. Link, S.; Luković, I.; Mogin, P. (2010). "Performance evaluation of natural and surrogate key database architectures". School of Engineering and Computer Science, Victoria University of Wellington.
  14. Hall, P.; Owlett, J.; Todd, S. (1976). "Relations and entities. Modelling in Database Management Systems". GM Nijssen.{{cite web}}: Missing or empty |url= (help)
  15. "Tokenization eases merchant PCI compliance". Archived from the original on 2012-11-03. Retrieved 2013-03-28.
  16. "Shift4 Corporation Releases Tokenization in Depth White Paper". Reuters . Archived from the original on 2014-03-13. Retrieved 2017-07-02.
  17. "Shift4 Launches Security Tool That Lets Merchants Re-Use Credit Card Data". Internet Retailer. Archived from the original on 2015-02-18.
  18. "Shift4 Corporation Releases Tokenization in Depth White Paper". Archived from the original on 2011-07-16. Retrieved 2010-09-17.
  19. "Lessons Learned from a Data Breach" (PDF). Archived from the original (PDF) on 2013-05-02. Retrieved 2014-04-01.
  20. Voltage, Ingencio Partner on Data Encryption Platform
  21. Ogigau-Neamtiu, F. (2016). "Tokenization as a data security technique". Zeszyty Naukowe AON. 2 (103). ISSN   0867-2245.
  22. 1 2 Ozdenizci, Busra; Ok, Kerem; Coskun, Vedat (2016-11-30). "A Tokenization-Based Communication Architecture for HCE-Enabled NFC Services". Mobile Information Systems. 2016: e5046284. doi: 10.1155/2016/5046284 . hdl: 11729/1190 . ISSN   1574-017X.
  23. O’hare, K., Jurek-Loughrey, A., & De Campos, C. (2022). High-Value Token-Blocking: Efficient Blocking Method for Record Linkage. ACM Transactions on Knowledge Discovery from Data, 16(2), 1–17. https://doi.org/10.1145/3450527
  24. PCI Council Tokenization Guidelines
  25. How do you know if an RNG is working?
  26. Gimenez, Gregoire; Cherkaoui, Abdelkarim; Frisch, Raphael; Fesquet, Laurent (2017-07-01). "Self-timed Ring based True Random Number Generator: Threat model and countermeasures". 2017 IEEE 2nd International Verification and Security Workshop (IVSW). Thessaloniki, Greece: IEEE. pp. 31–38. doi:10.1109/IVSW.2017.8031541. ISBN   978-1-5386-1708-3. S2CID   10190423.
  27. Vijayan, Jaikumar (2014-02-12). "Banks push for tokenization standard to secure credit card payments". Computerworld. Retrieved 2022-11-23.
  28. Mark, S. J. (2018). "De-identification of personal information for use in software testing to ensure compliance with the Protection of Personal Information Act".
  29. "American Express Introduces New Online and Mobile Payment Security Services". AmericanExpress.com. 3 November 2014. Archived from the original on 2014-11-04. Retrieved 2014-11-04.
  30. "Apple Pay Programming Guide: About Apple Pay". developer.apple.com. Retrieved 2022-11-23.
  31. "Visa Token Service". usa.visa.com. Retrieved 2022-11-23.
  32. Beck, Roman; Avital, Michel; Rossi, Matti; Thatcher, Jason Bennett (2017-12-01). "Blockchain Technology in Business and Information Systems Research". Business & Information Systems Engineering. 59 (6): 381–384. doi: 10.1007/s12599-017-0505-1 . ISSN   1867-0202. S2CID   3493388.
  33. Çebi, F.; Bolat, H.B.; Atan, T.; Erzurumlu, Ö. Y. (2021). "International Engineering and Technology Management Summit 2021–ETMS2021 Proceeding Book". İstanbul Technical University & Bahçeşehir University. ISBN   978-975-561-522-6.
  34. 1 2 Morrow; Zarrebini (2019-10-22). "Blockchain and the Tokenization of the Individual: Societal Implications". Future Internet. 11 (10): 220. doi: 10.3390/fi11100220 . ISSN   1999-5903.
  35. Tian, Yifeng; Lu, Zheng; Adriaens, Peter; Minchin, R. Edward; Caithness, Alastair; Woo, Junghoon (2020). "Finance infrastructure through blockchain-based tokenization". Frontiers of Engineering Management. 7 (4): 485–499. doi:10.1007/s42524-020-0140-2. ISSN   2095-7513. S2CID   226335872.
  36. Ross, Omri; Jensen, Johannes Rude; Asheim, Truls (2019-11-16). "Assets under Tokenization". Rochester, NY. doi:10.2139/ssrn.3488344. S2CID   219366539. SSRN   3488344.{{cite journal}}: Cite journal requires |journal= (help)
  37. Tabatabai, Arman (2019-03-25). "Social investment platform eToro acquires smart contract startup Firmo". TechCrunch. Retrieved 2022-11-23.
  38. "eToroX Names Omri Ross Chief Blockchain Scientist". Financial and Business News | Finance Magnates. 27 March 2019. Retrieved 2022-11-23.
  39. 1 2 Sazandrishvili, George (2020). "Asset tokenization in plain English". Journal of Corporate Accounting & Finance. 31 (2): 68–73. doi:10.1002/jcaf.22432. ISSN   1044-8136. S2CID   213916347.
  40. The Payment Card Industry Data Security Standard
  41. "Tokenization: PCI Compliant Tokenization Payment Processing". Bluefin Payment Systems. Retrieved 2016-01-14.
  42. "PCI Vault: Tokenization Algorithms". PCI Vault. Retrieved 2024-06-23.
  43. "Data Security: Counterpoint – "The Best Way to Secure Data is Not to Store Data"" (PDF). Archived from the original (PDF) on 2009-07-31. Retrieved 2009-06-17.
  44. "Protecting Consumer Information: Can Data Breaches Be Prevented?" (PDF). Archived from the original (PDF) on 2014-04-07. Retrieved 2014-04-01.
  45. Visa Tokenization Best Practices
  46. "EMV Payment Tokenisation Specification – Technical Framework". March 2014. Archived from the original on 2016-10-14. Retrieved 2014-11-04.
  47. "OWASP Guide to Cryptography". Archived from the original on 2014-04-07. Retrieved 2014-04-01.