The Fortanix Data Security Manager (DSM) tokenization feature eliminates the link to sensitive data and is used in credit card processing and other use cases to reduce or eliminate breaches. This is a highly secure method of protecting payment credentials which include substituting sensitive data such as credit card/ account numbers with a one-time number known as a token that has no relationship to a person or their account. The 16-digit account number is replaced with a randomly generated alphanumeric ID.
Tokenizer Data Types
A security object token can belong to any of the following categories:
Custom
General
Identification Numbers (USA)
Military Service Numbers
Depending on the type of data the users want to protect, they can create security objects belonging to any of the three tokenizer data types. Tokenization replaces a customer’s data type (for example, credit card number, SSN, IMSI, custom, and so on) token with a randomly generated code, or token, obfuscating the original data.
General
When you select General, Fortanix DSM provides the following data types:
Credit card
IMSI
IMEI
IP address (v4)
Phone number (USA)
Fax number (USA)
Email address
Credit Card Tokenization
A typical credit card number comes with a 16-digit personal account number (PAN) which can be tokenized. When a merchant swipes a customer’s credit card, the PAN is automatically replaced with a format-preserving numeric ID (“token”).
For credit cards, the minimum supported length is 13 and the maximum supported length is 19.
A Fortanix DSM user can choose to tokenize certain digits of a credit card number using a pattern. There are 4 types of tokenization pattern that can be applied:
Fully tokenize the credit card number – full token. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the credit card number – token + 4 digits. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except the last four since these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits of the credit card number – 6 digits + token. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits since these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits and last four digits of the credit card number – 6 digits + token + 4 digits. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits and the last four digits, as these digits of the credit card number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
IMSI Tokenization
The IMSI is a 15-digit number that uniquely identifies every user of a cellular network. For IMSI, the minimum supported length is 14 and the maximum supported length is 15. It is stored as a 64-bit field and is sent by the mobile device to the network.
The phone identifies the subscriber by transmitting the IMSI number. To prevent eavesdroppers from identifying and tracking the subscriber on the radio interface using the IMSI number, we can tokenize the IMSI number so that it is automatically replaced with a format-preserving alphanumeric ID (“token”).
A Fortanix DSM user can choose to tokenize certain digits of an IMSI number using a pattern. There are 4 types of tokenization pattern that can be applied:
Fully tokenize the IMSI number – full token. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the IMSI number – token + 4 digits. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except the last four since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1st six digits of the IMSI number – 6 digits + token. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except for the 1st six digits since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the 1st six digits and last four digits of the IMSI number – 6 digits + token + 4 digits. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except for the 1st six digits and the last four digits since these digits of the IMSI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
IMEI
The International Mobile Equipment Identity (IMEI) is a 15-digit number that uniquely identifies every mobile phone of a cellular network.
A Fortanix DSM user can choose to tokenize certain digits of an IMEI number using a pattern. There are 4 types of tokenization pattern that can be applied:
Fully tokenize the IMEI number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits of the IMSI number – first 6 digits + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the 1st six digits since these digits of the IMEI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the IMEI number – token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last four since these digits of the IMEI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits and the last four digits of the IMEI number – first 6 digits + token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six and last four since these digits of the IMEI number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
IP Address (v4)
An Internet Protocol Version 4 (IPv4) address is a numerical label that is used to identify a network interface of a computer or a network node participating in an IPv4 computer network and for locating the computer or the network node in the network. An IPv4 address consists of 32 bits divided into four 8-bit blocks.
A Fortanix DSM user can choose to tokenize certain digits of a IPv4 address using a pattern. There are 4 types of tokenization pattern that can be applied:
Fully tokenize the IP address – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last three digits of the IPv4 address – token + 3 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last three digits since those digits of the IPv4 address are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits of the IPv4 address – 6 digits + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits since these digits of the IPv4 address are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits and last three digits of the IPv4 address – 6 digits + token + 3 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits and the last three digits since these digits of the IPv4 address are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Phone Number (USA)
The standard American telephone number is ten digits, such as (555) 555-1234. The first three digits are the "area code," followed by a seven-digit phone number.
A Fortanix DSM user can choose to tokenize certain digits of a phone number using a pattern. There are 3 types of tokenization pattern that can be applied:
Fully tokenize the phone number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the phone number – token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last four since these digits of the phone number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits of the phone number – 6 digits + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits since these digits of the phone number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Fax Number (USA)
A USA fax number is just a phone number that has a fax machine (or fax service, fax server, computer with fax software, and so on) connected to it.
A Fortanix DSM user can choose to tokenize certain digits of a fax number using a pattern. There are 3 types of tokenization pattern that can be applied:
Fully tokenize the fax number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the fax number – token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last four since these digits of the fax number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first six digits of the fax number – 6 digits + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first six digits since these digits of the fax number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Email Address
The following is the structure of an email address:
A typical email address consists of a ‘username’ and ‘domain’ name. The following is the typical format of an email:
local-part@domain
A Fortanix DSM user can choose to tokenize certain digits of an email address using a pattern. There are 3 types of tokenization pattern that can be applied:
Fully tokenize the email address – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize the first character of the email address – first character + token. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first character of the email address since it is set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the local part of the email address – local part + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the local part since these digits of the email address are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the domain part of the email address – token + domain. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the domain part since these digits of the email address are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Identification Numbers (USA)
When you select Identification numbers (USA), Fortanix DSM provides the following data types:
SSN
Passport number (USA)
Driver’s license number
Individual Taxpayer identification number (USA)
Employer identification Number (USA)
SSN Tokenization
This method of tokenization converts sensitive data, such as a social security number, into a random string of characters (called a token) that have no meaningful value if breached. A typical Social Security number consists of 9 digits. A token representing an SSN may need to retain the real last 4 digits. This enables representatives to verify user identities without access to the rest of the SSN.
A Fortanix DSM user can choose to tokenize an SSN using the below two patterns.
Fully tokenize the SSN – full token. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the SSN – token + 4 digits. For example:
With this pattern, a Fortanix DSM user can choose to mask the complete token except the last four digits since these digits of the SSN are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Passport Number (USA)
A US Passport number consists of six and nine alphanumeric characters (letters and numbers).
A Fortanix DSM user can choose to tokenize a passport number using the below patterns.
Fully tokenize the passport number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 4 digits of the passport number– token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last four digits since these digits of the passport number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 4 digits of the passport number – first 4 digits + token. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the first four digits since these digits of the passport number are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Driver's License Number
A Driver’s License Number is a nine-digit number used as a tracking number by the U.S. It supports minimum of 2 characters. Any letter must be in upper case.
You can fully tokenize the Driver’s license number. For example:
Individual Taxpayer Identification Number (USA)
A Tax Identification Number (TIN) is a nine-digit number used as a tracking number by the U.S. Internal Revenue Service (IRS) and is required information on all tax returns filed with the IRS.
A Fortanix DSM user can choose to tokenize a TIN using the below two patterns.
Fully tokenize the TIN – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last four digits of the TIN – token + 4 digits. For example: With this pattern, a Fortanix DSM user can choose to mask the complete token except for the last four digits since these digits of the TIN are set to be visible by the user. Masking can be applied using the Add masking pattern option in the UI. The masking pattern replaces the selected digits of the token with asterisks (*), further securing the token’s identity.
Employer Identification Number (USA)
Employer Identification Number (EIN) is a unique 9-digit number. It is used by Internal Revenue Service (IRS) to report employment taxes.
A Fortanix DSM user can choose to tokenize an EIN using the below patterns.
Fully tokenize EIN – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 2 digits of EIN – first 2 digits + token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 2 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 4 digits of EIN – token + last four digits. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 4 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Military Service Numbers (USA)
When you select ‘Military Service Number’, Fortanix DSM provides the following data types:
Army and Air Force Service Number (USA)
Navy Service Number (USA)
Coast Guard Service Number (USA)
Marine Corps Service Number (USA)
Military Officers Service Numbers (USA)
Army and Air Force Service Number (USA)
An Army and Air Force Service Number (USA) is an 8-digit number assigned to the US Army and Air Force personnel.
A Fortanix DSM user can choose to tokenize an Army and Air Force Service Number (USA) using the below patterns.
Fully tokenize Army and Air Force Service Number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 2 digits of Army and Air Force Service Number – first 2 digits + token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 2 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 3 digits of Army and Air Force Service Number – token + last 3 digits. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 3 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Navy Service Number (USA)
A Navy Service Number (USA) is a 7-digit number assigned to the US Navy personnel.
A Fortanix DSM user can choose to tokenize a Navy Service Number (USA) using the below patterns.
Fully tokenize Navy Service Number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 3 digits of Navy Service Number – first 3 digits + token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 3 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 2 digits of Navy Service Number – token + last 2 digits. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 2 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Coast Guard Service Number (USA)
A Coast Guard Service Number (USA) is a 7-digit number assigned to the US Coast Guard personnel.
A Fortanix DSM user can choose to tokenize a Coast Guard Service Number (USA) using the below patterns.
Fully tokenize Coast Guard Service Number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 4 digits of Coast Guard Service Number – first 4 digits + token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 4 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 3 digits of Coast Guard Service Number – token + last 3 digits. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 3 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Marine Corps Service Number (USA)
A Marine Corps Service Number (USA) is a 6-digit number assigned to the US Marine Corps personnel.
A Fortanix DSM user can choose to tokenize a Marine Corps Service Number (USA) using the below patterns.
Fully tokenize Marine Corps Service Number – full token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 4 digits of Marine Corps Service Number – first 4 digits + token. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 4 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 4 digits of Marine Corps Service Number – token + last 4 digits. For example: With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 4 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Military Officers Service Numbers (USA)
A Military Officers Service Number (USA) is a 5-digit number assigned to the US Military officers.
A Fortanix DSM user can choose to tokenize a Marine Corps Service Number (USA) using the below patterns.
Fully tokenize Military Officers Service Number – full token. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the first 3 digits of Military Officers Service Number – first 3 digits + token. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token except the first 4 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Tokenize all but the last 3 digits of Military Corps Service Number – token + last 3 digits. For example:
With this pattern, a Fortanix DSM user can also choose to mask the complete token except the last 3 digits using the Add masking pattern option in the UI. The masking pattern replaces the complete token with asterisks (*), further securing the token’s identity.
Custom
A user can use this method of tokenization to protect any kind of data other than the new categories. This data type must have a minimum size of 12 which can either be numbers, hexadecimals or alphanumeric values. In this method, a Fortanix DSM user can choose to tokenize any combination of the first six and the last six digits in the data. For example:
1 symbol + token + 1 symbol
6 symbols + token + 6 symbols
3 symbols + token + 2 symbols
A Fortanix DSM user can choose to mask the corresponding tokenized values with asterisks (*), further securing the token’s identity. Masking can be applied to any combination of digits that are tokenized using the Add masking pattern option in the UI. For example, the following can be the masking patterns for the custom token above.
A custom token type can be:
Numbers only: If your data is of type ‘number’, then use this option to create a custom token containing only numbers.
Hexadecimal only: If your data is of type ‘hexadecimal’, then use this option to create a custom token containing hexadecimal values. Only upper-case letters are supported.
Alphanumeric only: If your data is of type ‘alphanumeric’, then use this option to create a custom token containing alphanumeric values.
Create a Tokenizer Security Object
To create a tokenizer security object, follow the steps below:
On the Fortanix DSM UI left panel, click the Security Objects tab, and then click the CREATE SECURITY OBJECT button ('+' sign) in the Security Objects page. Figure 1: Create a Tokenizer Security Object
In the Add New Security Object page, enter a name for your new security object, and then select the GENERATE option, to generate a security object.
Select the GENERATE option, to generate a security object. Figure 2: Generate Tokenizer Object
Select the type of security object as Tokenization.
In the Data type list, select the tokenization type for the tokenizer security object. There are four categories of data types to select from, namely:
General
Identification Numbers (USA)
Military Service Numbers (USA)
Custom
Refer to the previous section for more details about these data types. Figure 3: Select Security Object Type
If you want to mask your token, then select Add masking pattern.
Move the slider below the token to choose a masking pattern.
Enter a key size for the security object. The allowed values are 128 bits, 192 bits, and 256 bits.
Select the permitted key operations on this security object. The key operations that are permitted for a Tokenization key are:
Tokenize (encrypt)
Detokenize (decrypt)
App Manageable
Export
Figure 4: Select Key Operations
Lastly, click GENERATE to generate a tokenizer security object.
The new tokenizer security object is created. Figure 5: Tokenizer Security Object Created
Tokenization Operations Using API
Once the tokenization object is created, it can be used to tokenize and de-tokenize data. For the examples shown in this section the following tokenization object will be used:
Figure 6: Create a New Token
Generating a Token
To generate a token from the data given in Figure 6, the following API request should be used:>
POST https://{{server}}/crypto/v1/keys/{{token_key_uuid}}/encrypt
The base64 decoded value of the returned "cipher" is “0123459120651682”. The first 6 digits of the text (credit card number) are identical to the original plain text and the rest of the digits are tokenized.
Obtaining Original Data
To obtain the original data from a given token, the following API request should be used:
POST https://{{server}}/crypto/v1/keys/{{token_key_uuid}}/decrypt
The "plain" field is the base64 encoded value of the original data. The result of decoding the "plain" field is “0123456789123456”, the original data provided.
