SafeNet Tokenization Manager protects sensitive data that enters organizations and facilitates compliance with regulations (such as PCI DSS and HIPAA) by reducing the regulatory scope and costs.

How Tokenization Works

Tokenization is the process of replacing sensitive data (primary account numbers, social security numbers etc.) with a surrogate value, a token. The tokenization process significantly reduces the risks of data exposure and data-blooming, as the sensitive data is stored in a central token vault in an encrypted format.

Every token that is issued, represents a single unique string of sensitive data. Assigning a token to a single original Primary Account Number (PAN) enables merchants to use the same token multiple times, whenever the specific PAN is used in a transaction.

SafeNet Tokenization Manager complies with PCI Tokenization Guidelines (Published August 2011) and VISA Tokenization Best Practices.

SafeNet's Tokenization Manager Highlights:

Format Preserving Tokenization (FPT) uses tokens that preserve the length and format of the sensitive data. FPT ensures that no changes to legacy databases are required in order to support the tokenization process.

Tokenization Manager FPT supports multiple formats of credit card numbers, SSN and other PII data as well as alphanumeric data. It complies with the PCI-DSS guidelines for token / PAN distinguishability (achieved through LUHN algorithm enforcement)

Tokenization Manager is designed to offer scalability and elasticity that enables organizations to cost-effectively implement their solution:

- Clustered deployment ensures high availability and scalability
- Multiple Tokenization Manager Instances(on physical or virtual servers) can share a single Token Vault, avoiding token collisions
- Elasticity is achieved by deploying a variable number of Instances/Hardware Servers depending on the transaction volume
- Targeted to enterprises and service providers
- Suitable for merchants to support “Peak Traffic Days” in a cost-effective way

In order to ensure a more secure solution, all Tokenization Manager crypto operations are done within SafeNet KeySecure, a robust key-manager and crypto off-load appliance.

Tokenization Manager in conjunction with KeySecure and Crypto Pack provides:

- Secure key-vault
- Trusted execution environment for all cryptographic operations
- Single interface for logging, auditing, and reporting access to protected data, keys, and tokens
- Support for key-rotation functionality for Token Vault encryption keys
- Support for single and multi-use tokens
- Compliance with NIST 800-57 Key-management guidelines and with PCI-DSS key-management requirements

SafeNet Tokenization Manager enables financial service providers and payment acquirers to expand their offering and create a new revenue stream by offering Tokenization as a Service to their customers.

Deploying Tokenization Manager and DataSecure at their premises, service providers are able to offer customers a full set of encryption and tokenization services, taking customers’ entire organization out of regulatory scope, eliminating all PCI-DSS auditing costs.

- Safenet’s Tokenization Manager solution fully complies with PCI-DSS requirements
- API Web Services allow easy integration and clear segmentation from CDE to non-CDE
- Elastic deployment and business model that best fits a Service environment and pricing
- Support of different Token Vaults for different merchants

Technical Specifications

Format Preserving Tokenization

  • Complies with PCI Tokenization Guidelines for token identification via token masking and Luhn algorithm pass/fail checks

  • Supports multiple tokens vaults

  • Highly scalable - can generate and retrieve millions of tokens/per day for best performance

Supported Tokens Vault Databases

  • Microsoft SQL Server

  • Oracle

Note: All tokenization forms are supported on all databases as long as the vault itself is on Microsoft SQL Server or Oracle

Supported APIs

  • Java

  • Webservice

Enhanced Event Logging and Monitoring Functionality

  • Complies with PCI Tokenization Manager event monitoring specifications

  • Supports SNMP for online monitoring and alerting


  • The Tokenization Manager support of Format Preserving Tokenization ensures that no changes to legacy databases are required in order to support tokenization.

  •  Tokenization Manager offers deployment elasticity and scalability, enabling organizations to get the most cost-effective implementation.

  •  All cryptographic operations are done within SafeNet KeySecure, a robust key-manager and crypto off-load appliance, which results in a secure hardware based tokenization solution.


  • End-to-End Tokenization, reducing regulatory scope to a minimum

  • Fully compliant with the PCI Tokenization Guidelines and VISA Tokenization Best Practices

  • Unified policy management console that can be extended to meet other compliance needs like transparent database encryption, storage encryption, file encryption and virtual server encryption.

  • Tokenization as a Service (TaaS) platform enables Tokenization Service Providers to generate a new revenue stream while taking their customers completely out of regulatory scope