Vault-based and vaultless tokenization

There are two approaches to tokenization depending on whether a vault (a secure centralized database) is involved: vault-based tokenization (VBT) and vaultless tokenization.

Vault-based tokenization

Vault-based tokenization relies on a centralized database (also known as a vault or token vault) to securely store sensitive data. Tokens replace sensitive data in operational systems, and the vault maps these tokens back to the original data on demand using a lookup table.

The premise of vault-based tokenization is that generated tokens are irreversible, and obtaining access to the original data based on a token requires explicit permissions.

Vault-based tokenization offers robust protection by:

Centralizing control
Simplifying compliance
Supporting operations like searches on the original data

However, the vault itself can become a single point of failure, requiring strong infrastructure and security measures to prevent data breaches.

Vault-based tokenization is currently the predominant approach, and this is what is usually implied by “tokenization” in general.

Vaultless tokenization

Vaultless tokenization refers to an approach that involves generating tokens algorithmically without storing them persistently.

Instead of relying on a centralized data vault, vaultless tokenization uses cryptographic algorithms to generate tokens deterministically.

Vaultless tokenization supports using multiple smaller, pre-generated in-memory lookup tables, which can reduce latency and help set up a distributed tokenization infrastructure. Therefore, vaultless tokenization has a higher ceiling for scalability and performance, and it reduces the risk of a single point of failure.

However, vaultless tokenization has limitations:

It may provide less granular control.
It can face challenges in supporting operational features like searches or analytics on tokenized data.
It violates the fundamental principle of tokenization: irreversibility.