Sensitive Data
Sensitive Data
by geobridge

Tokenization Solution

Tokenization is an evolving discipline that involves the secure substitution of a surrogate value for more sensitive data.

When people consider how to protect the sensitive data with which their organizations are entrusted, they usually think of encryption. But encryption just transfers the potential risk from the data itself to the keys encrypting the data, and the complexities of effective key management tax the skills and expertise of many entities struggling to implement cryptographically correct and cost-effective data protection.

Tokenization (replacing a sensitive data element with one that has no financial value) can reduce the complexity of the data protection solution, because the cryptography and key management required to implement a tokenization solution is hidden behind a secure token repository: the Token Vault.

Tokenization solutions are sought after in order to satisfy compliance and security initiatives aimed to address mandates, including but not limited to PCI, EMV and GDPR. Effective tokenization relies on a properly designed and cryptographically secure Token Vault. GEOBRIDGE leverages their cryptographic development expertise to architect and build TokenBRIDGETM, and collaborate with their clients to determine the optimal solution for each environment.

When tokenization is a primary objective it should be deployed with the same due care and best practices that are associated with compliant cryptographic key management. This means that tokens should be created by using certified and true random number generators, protected by tamper responsive hardware and validated by independent laboratories. These are the core tenets of the tokenization solution offered with TokenBRIDGE.

The KeyBRIDGE tokenization solution keeps customer’s payment and personal data secure.  The solution is a hardware based platform with client-less endpoints, leveraging secured connection profiles with TLS 1.2 security.

TokenBRIDGE Features

TokenBRIDGE is a standalone appliance providing a rich set of tokenization services.  Tokens may be generated in a wide variety of pre-defined formats, or a client can specify custom token formats.  TokenBRIDGE implements a true token vault, where a client submits a sensitive value and receives a token with the same length and format which can transparently substitute for the original data, and on request recover the original sensitive value.

TokenBRIDGE also offers a High Availability (HA) option, which permits multiple appliances to be integrated into a self-replicating mesh network.  Appliances may be separated geographically, allowing tokens issued by one appliance to be recovered on another.

TokenBRIDGE leverages the KeyBRIDGETM platform, and inherits from it a physically secure package, an easy to use graphical interface and rich automated audit features.  Built as a TRSM leveraging an internal FIPS 140-2 Level 3 HSM, TokenBRIDGE utilizes true hardware-based random number generation and stringent dual control features to establish a secure and compliant tokenization solution.


• Flexible and customizable token formats.
• Provides random tokens, based on a true hardware-based, FIPS-certified Random Number    Generator.
• Hierarchical user administration. Dual-control required for all sensitive operations.
• Extensive audit logging tracks all functional activities and access.
• Configurable network settings enable access to shared network storage for secure file
   storage and access.

• Configurable automated daily backup function.
• Designed to ensure compliance with all relevant standards, including NIST SP 800-90A Rev. 1
   and ANSI X9.119-2017


• Enables secure storage of and access to tokens and their corresponding sensitive data within a    single, centralized location.
• The HA option allows multiple appliances to automatically synchronize token databases,    creating a reliable, geographically distributed network.
HA mesh networks can implement token pools, where tokens are pre-generated and held in reserve. Pool technology ensures that multiple appliances never create identical tokens.
• Organize tokens by creating a logical relationship structure for more compliant handling.
• Offers built-in dual control functions and backup and recovery tools that in the event of a      disaster, allow an entire system to be restored in minutes.
• Automates activity tracking within the system, capturing token activity details and user activity,    as well as comprehensive audit logging of all sensitive functions.
• Physically secure enclosure – opening or penetrating the enclosure automatically erases the    System Master Key (SMK), preventing access to the entire token database.

Establishing longstanding customer relationships.