Tokenization is the process of exchanging sensitive data for non-sensitive data called “tokens” that retain the details of your personal information without compromising its security.
Through the tokenization of data, your personal information (bank account and routing number, credit card information, etc.) is more secure online and less susceptible to fraud.
As we dive deeper into data tokenization, keep these core principles in mind.
- Tokenization removes sensitive payment information from transactions.
- Tokens have a time-sensitive expiration date.
- Tokens can be revoked when necessary.
Using Chuck E. Cheese tokens as an example; tokens can only be used to play a game, not purchase a pizza. The same principle applies here. Data tokens can only be used within their set scope, and for nothing more.
Tokenization is a Key Element in Securing Data
A classic security approach is to classify and secure data based on value—the higher the value, the stronger the security.
Many companies use this “ranking” strategy for sensitive data, think: platform code, user information or a special engineering design. This is called personally identifiable information (PII) or critical strategic information.
Two-Factor Authentication: A Standard in Security
The value of these data elements is much higher and protection schemes must be significant and proportional to the risk of data exposure. It’s like putting on a big winter coat during a snowstorm as compared to a light rain jacket on a spring day; the risk of exposure is greater, so you need better protection.
However, an overall security strategy should do more than protect just high value data, it must also make data less valuable to an attacker where possible. This is where data tokenization comes in: representing sensitive data in the form of a token, which ceases to exist shortly after its creation.
Tokenization and Data Protection
Tokenization protects data via reference, scope, timing and cryptography, each of these elements contributes to Dwolla’s security strategy. Breaking these four pieces down further, we can better understand the real value of tokenization as a protective measure.
Reference: Dwolla does not share high-value data such as a bank account or routing number for transactions with the other party.
Network Level: The Dwolla Platform uses a reference number to replace your sensitive financial data. This is referred to as an OAuth Access token, and it represents you, the user. This token acts based on the permissions you’ve given, serving as both a reference and a guide for the actions you’ve allowed within your Dwolla Account.
Bank Level: Bank account information for users is not shared on the bank’s end. Rather, another token is created from the bank representing the bank user.
Timing: Dwolla requires that tokens have a one-hour expiration date. If a token expires, it must be refreshed. Time-based tokens are used to complete transactions in seconds without moving high-value data. Once the message is received, it can’t be sent again. Tokens have a limited lifespan. Once it expires, you have to ask for permission to revive it.
Scope: Tokens have a collection of authorized actions in the form of a scope. The scope contains the range of actions that can be taken. In Dwolla’s case, the scope of tokenization is limited to authorizations like ‘transaction details,’ ‘balance,’ ‘send’ or ‘receive.’ Establishing a scope is important as it strictly limits the use of the token so it’s not used incorrectly.
Cryptography: Tokenization goes hand-in-hand with cryptography. Tokenization enlists cryptography to secure the information in transit and uses randomization to ensure each token is unique. At Dwolla, strict, standards-based cryptography is in place.
