As mentioned in previous MyDiamo posts, Tokenization is often used in order to preserve the security of sensitive and personal data ranging from credit card information to criminal records. It is a method of encryption that is held in great esteem – and rightly so – by users and security engineers worldwide. The de facto consensus is that “tokenization = safety.”
However, it must be remembered that tokenization is not immune to hackers and attacks. While tokenization is a technology that meets the security specifications required by Payment Card Industry Data Security Standard (PCI DSS), it does not guarantee the safety of data processed through tokenization safety. In fact, companies like Hannaford Brothers and TJX Companies experienced a large-scale leakage of private information in 2008, despite keeping up with PCI DSS. Home Depot too, albeit complied with PCI standards since 2009, faced a devastating data breach which left 56 million customers’ credit card information up for grabs on the black market back in 2014.
The security of the tokenization system itself varies on the level of encryption used. Some corporations generate tokens by using Weak Pseudo-Random Number Generator (WPRNG) to maintain properties of data while others employ a much stronger Format-Preserving Encryption (FPE), also regarded as one of the best ways to secure data and maintain its features. FPE is an encryption algorithm, meaning that different encryption keys can be used for different data, giving each set of data independence from the other.
Tokenization is, without a doubt, one of the best methods for secure encryption. The advanced technology means that there is a low probability of a successful attack. However, probability is a separate issue from possibility. It is important to remember this when adding security measures to data storage and processing.