Thales Blog

What Does Tokenization Mean For Our European Customers?

February 10, 2015

Andy Kicklighter Andy Kicklighter | Director of Product Marketing More About This Author >

You may have seen the recent blog post from Charles Goldberg, which provides an overview of tokenization and our new product offering in this area.  Here in the UK and Europe, we’re seeing specific demand for these capabilities around three key areas, which I’d like to highlight here.

<ClickToTweet>: Euro and UK Applications for Tokenisation and Data Masking from @Vormetric


If an organisation has any need to handle payment card details, it must adhere to PCI compliance guidelines.  Although in many regards Europe is at the cutting edge of card security, where for some time chip & pin transactions have been the norm, there is still very high demand for solutions that will obfuscate card data in order to protect both customer and retailer should that data be breached.  Although this does not apply to retailers’ “physical” presence, as chip & pin actually eliminates the card and customer information by encrypting it as the transaction takes place, online and phone-based retail transactions still involve the exchange of sensitive information.  With tokenization – replacing cardholder information with tokens – retailers can significantly reduce the scope of very expensive PCI DSS audits.

Protecting Card Data with Tokenization and Dynamic Data masking

Data Residency

TokenizationThere are approximately 50 countries in Europe, all of which have their own laws and jurisdictions.  This means that data sovereignty is an incredibly important issue for this dense group of nations.  There are far too many individual reasons why any given organisation in any given European country may have strict requirements around where its data may physically reside or be duplicated, but with tokenization it is quite simple to ensure private data never leaves the local jurisdiction – only tokens.  Indeed, our ability to provide ‘Dynamic Data Masking’ would allow, for example, a call centre in one country to service customers with data stored in another while meeting strict data residency requirements; the source data remains in its home jurisdiction, and is “masked” – i.e. no sensitive information is shown to the call centre operator, or ever leaves the home jurisdiction.

EU Data Protection

Data Masking1There are several important data privacy regulations cited by our European customers, including the EU Data Protection Directive 1995, the E-Privacy Directive and the Data Protection Act 1998.  Across these legal mandates, organisations are required to ensure the protection of the likes of National Insurance numbers, credit card details, dates of birth and other private data stored in databases and big data environments.  Replacing any of this data with tokens will, as one would expect, limit your exposure.  There are also benefits to masking private data within a record from the view of those whose role does not require access to the full information.  Looking ahead, the adoption of a new General Data Protection Regulation this year may further drive demand for tokenization capabilities.

I’d be interested to hear your thoughts on applications and interesting use case of tokenization, and you can find out more about our approach, including data masking, here

Tools in the box