Tokenization
Deepak Sahoo
Trainer and Educator, CFA Level 2 , FRM Level 1 Financial Modelling and Business Valuation, Fintech, ESG, Sustainable Finance. Derivative Pricing Valuation and Exposure Management
Tokenization involves substituting a sensitive identifier, such as a unique ID number or other personally identifiable information (PII), with a non-sensitive equivalent known as a "token." These tokens have no intrinsic or exploitable meaning or value and are utilized instead of identifiers or PII to represent users in databases or during transactions like authentication. The process of mapping original data to a token typically employs methods like randomization or hashing algorithms, rendering tokens practically impossible to reverse without access to the tokenization system.
While not a new technology, tokenization has been extensively used in credit and debit card systems to replace card data, such as the primary account number (PAN), with unique, randomly generated tokens. This substitution minimizes the number of systems with access to the original card data, thereby reducing the risk of fraud in case of system compromise.
From a privacy perspective, tokenization safeguards privacy by ensuring that only tokens, rather than permanent identity numbers or other PII, are exposed or stored during transactions. Moreover, if the same person is represented by different tokens in various databases, tokenization can restrict the proliferation of a single identifier, mitigating privacy risks and potential fraud.
Tokenization vs. Encryption
Key features of tokens include uniqueness and the inability for service providers or unauthorized entities to reverse engineer the original identity or PII from the token. Tokenization typically falls into two primary categories:
1. Front-end tokenization: Users generate tokens as part of an online service, which can subsequently be used in digital transactions instead of the original identifier value. While this approach empowers users, it may exacerbate digital divides due to technical requirements and digital literacy barriers.
领英推荐
2. Back-end tokenization: Identity or token providers tokenize identifiers before sharing them with other systems, thereby controlling data correlation and limiting the spread of original identifiers. Back-end tokenization occurs automatically without user intervention, reducing the risk of digital divides and protecting identifiers and PII at the source.
UIDAI also introduced back-end tokenization to address the storage of Aadhaar numbers in service provider databases
While both tokenization and encryption obscure personal data, they do so differently. Tokenization is often simpler and cheaper to implement than encryption, with a lower impact on relying parties. However, it requires means of mapping tokens to actual identifier or PII data values, which can pose scalability challenges. Nonetheless, implementations like Verify and Aadhaar manage tokenization at scale effectively without the need to share data for authentication purposes.