Introduction to Tokenization Tech Talk Meetup #1 @Indeed

Who I am? Junichi Okamura @benzookapi Scala/Java/Node.js/Python/ Ruby/PHP/../Mobile/../ppt /I18N/Marketing/Payment API Lover/Agro-IoT/Cartoonist

My formal suit

Today’s topic Tokenization

Tokenization = replace(SENSITIVE_DATA, MEANINGLESS_TEXT); Ticket for the real data

Why now tokenization? • The word used in context of payment = payment tokenization • Increasing concern about security on finance

Payment tokenization example: Android Pay Source: https://developers.google.com/web/fundamentals/discovery-and-monetization/payment-request/android-pay?hl=ja sensitive data = credit card meaningless text = gateway token

Advantage of tokenization • Even though your token is stolen, your card number is not • Second user of token cannot buy/sell anything • Sellers don’t need to complaint to highly strict security rules (PCIDSS) • Because token itself is meaningless text

What’s different from encryption? • Encrypted data itself is sensitive data (card number) • If the encryption broken, raw data get stolen • Encrypted data is not sharable

Key characteristics of tokens • Temporary • One time (most secured) • Expiration • No encoding/decoding • Only issuers can understand (no common data in it) • But sharable with token consumers

Token issuers and consumers Token Issuers = store sensitive data and process them Payment Account EC/Delivery Token Consumers = get process result or raw data restrictedly real consumer (not token consumer) 1.sensitive data 2.service 3.token 5.service 2.token 4.result or data

Issuers vs Consumers? • No, some issuers can be consumers in some context (e.g. payment gateway can be both in the context of credit card) • Most of other cases than payment express Issuer as API providers and consumers as API users

Types of tokenization tokens • Closed: Can be used for issuer’s service only. Most popular (e.g. OAuth token) • Semi-closed: Can be used for issuer’s partner-ship or restricted services only. Recently, getting applied for payment (e.g. Android Pay) • Open: Public token can be used for any external services (currently, not known yet… tell me please)

Extended usage of tokenization e.g. Logistics Receiver Sender’s address Receivers’ address Logistics company = Token issuer Sender Sender’s address token Receiver’s address token

Who can be token issuer? • Trusted: with highly secured system and environment • Compliant: to law and regulation with good mind • Attractive: with strong value props and cool thing

Movement of tokenization Closed token for monolithic service Data | Activity | Connectivity token token token token Open token for multiple services Data Service Activity Service Connectivity Service token token token token

Thank you & QA