3. Tokenization: Explain Like I'm 5

Tokenization: Explain Like I'm 5

In simple terms, you would usually use it in place of a hash, except for data that you want to be able to access again at a later date.

I'll give you an example that I have used in real life.

A company approaches my company, and they want to use our services, which means we need to take their customers data, do some business stuff to it, and then give it back to them. Now, these customers are identified by a number, maybe it's a back account number, or a credit card number, or a social security number... what ever it is, they don't want my company to know what the number actually is, they just want to give us a unique identifier that we can both use to identify their customers.

So they give us a token instead. They create their own key to tokenize and detokenize the IDs. For instance if 1=G9 2=T4 3=H7... then the ID 123 = G9T4H7. They keep this key secret, so when the send us data about customer 123, all we know is customer G9T4H7. When we send them data back about customer G9T4H7, they know who we're talking about.

In reality, this can happen all very quickly and efficiently. In the scenario I described above, these customers were actually making online financial transactions that were routed through my system. The tokenization, processing and detokenization all took a matter of milliseconds.

There's plenty of other scenarios where you might want to use a token. For instance, the ID might be a name instead of a card number... Anyway, since I work in PCI, we followed the PCI SSC guidelines on how to do it.

Here is some whitepaper

https://www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf

https://www.pcisecuritystandards.org/documents/Tokenization_Product_Security_Guidelines.pdf

/r/AskNetsec Thread
Previous
Next

Recently removed from /r/AskNetsec

Pentesters, what web vulnerability scanner do you use? Web App Pentesting Career Path Is a "security engineer" = a software dev focused on security or is it something uniquely different? What subjects would you take in hackerschool? Most reasonable way to protect Windows laptop from BadUSB? Your recommendations, I have an opportunity to learn netsec but I am at the starting line. I will be traveling to one of the countries hosting a great firewall, will only be using my phone to access anything. What kind of modifications and precaution should I be taking to protect myself from both of privacy and security perspective? Anyone interested in Advanced WiFi Pentesting Webinar? if net neutrality fails, could an online company provide a "neutral net" loophole? GCIH - using braindump questions to test my knowledge. Good or bad? Let's say you find an exploit in a vendors application. What's the best way to inquire about a bug bounty if one isn't already listed? Minimum Requirements For Entry Level Pentesting Job Can someone recommend how I can get into malware research/reverse engineering? Security clearance question What can a script kiddie do?

More Random Comments

Central Europe if Google Maps existed in the year 1930 Associating with owen gets you banned Creative decisions in media that you think don't work all that well. I suspected when they revealed the Godzilla crossover cards in Ikoria that it was the beginning of a long road downhill. Now I know I was right. In Brandenburg nehmen kaum Ärzte eine Abtreibung vor Getting on the plane AITA for refusing to let my son take a new surname? There's a fake crush among us What's your favorite comfort book? How do we succeed? Why Nova Scotia wants to poison a lake to kill off invasive species Donald J Trump state park What is the difference between democracy and a dictatorship apart from having a new dictator every few years? FAQ Friday! Ask anything in here! September 25, 2020 Pre-hiatus fans reaction on their comeback