Worlds first and only Vault-less Tokenization as a Service U.S. Pat. Nos. 1,389,688 B2


Whether or not to implement a security measure always boils down to money.  “How much risk is acceptable vs. the cost of prevention?” It’s a simple formula really; if the cost to protect against a vulnerability is greater than the estimated loss due to it being exploited, then its beneficial just accept the risk, otherwise try to mitigate, avoid, or transfer it. When you survey the multitude of products and solutions on the market that address data-level security or if you have had first hand experience owning them after implementation, you know there are always hidden and unanticipated costs which rarely get refactored back into the equation. Some of these costs include licensing of supporting hardware, licensing of virtualized infrastructure, getting the solution properly monitored and reported on, tuned for your SLAs, simply training and investing in human capital who understand and can operate the solution, and the list goes on. Moreover, you might not be surprised to learn that in many cases though the time and money is spent on implementing security solutions, the true risks are never fully addressed.


The goal of the Enterprise Vault-less Tokenization (EVT) Service is to relieve you of those data security burdens and empower you to invest your resources in becoming the best innovative and productive business you can be. As an extension to that purpose, by leveraging the EVT Service you can get all the things you want to build and support such as high availability, consistent performance experience, data-level security auditing, and follow leading practices in security management all without any of the headaches and surprise costs.  All our services are subscription based so if you decide you don’t like it or it doesn’t add enough value, your not locked in; we will even help you migrate off.  You have very little to lose by using our EVT service but a lot more if you choose not to.

Feature Overview

Vaultless Tokenization

Data is never stored on our systems. All operations such as tokenization, de-tokenization, encryption, and masking are performed in real time on only exist in memory for an instant.

High Service Availability

Services are hosted on multiple redundant instances in data centers around the globe to safeguard against downtime and deliver 99.99% availability.

Performance at any Scale

Elastic scalable infrastructure is used to scale up automatically to handle the times when your transactions do the same so that a consistent sub-second user experience is offered.

Lower Cost of Ownership

Our subscription-base model allows you to enjoy enterprise-grade technology at a predictable and justifiable rate. Plus there is not lock in, you’re free to discontinue service.

Self Service Configuration Portal

Our self-service portal allows you to create and manage your token definitions, security policies, and other configurations in real-time from anywhere. 

Usage Auditing and Reporting

We log each request for data and every activity in the configuration portal.  Your service usage and security audit reports are available through the portal.

Multi Factor Authentication

Configuration Portal is protected with 2 factor authentication to insure only you have access to your token configurations.

Optimized Code

The tokenization engine is continually improved through multiple rounds of optimization to insure low latency and fast response time.  All time and effort that would normally be performed by your in house teams.

Universal Compatability

Our web services are available to any internet-enabled device and communicate over standard secure HTTP protocols. So it makes no difference what OS or programming language your using. Current interfaces include SOAP, REST, and plain POST.

Test Drive EVT Today

Fill out our quick contact form and asked to get registered for access to our demo site.  Our demo site is a fully featured services offering platform.  While this environment is not held to the strict performance and availability standards as production, you may use this environment to test drive the services before buying.


We built our own payment service where we could manage different PSP (Payment Service Providers) on the backend.  This allowed us to be completely agnostic to what PSP would be used to acquire a credit card transaction and avoid any relationships with similar products such as stripe.com.  Still we wanted to provide a wallet type of experience for our customers.  Each PSP provided credit card tokenization and a wallet functionality but we didn’t want to be locked into any of those relationships.  This is where NXT-Security’s Vaultless Tokenization really shined for us.  We were able to use it to protect our customer’s credit card transactions and may PCI compliance a breeze.  Using Tokenization from NXT-Security completely removed the persistence attack surface from our infrustructure since no real credit card data is stored; only tokens.  We still have the scope of Processing and Transmission but we found those areas very easy to monitor, audit, mitigate risk, and pass PCI certifications.  API integration was simple and the speed and capacity is outstanding.  Performance and load tests before and after implementing the Tokenization service showed virtually no increase latency.  I would completely recommend using NXT-Security.

In my opinion this is the only real cost effective solution out there for any environment that has legacy equipment and software. By implementing a vaultless tokenization solution, it is not necessary to modify the applications because a company will not have to have a database of encrypted credit cards. A company simply has to deploy the vaultless tokens and compliance with the PCI compliance requirements follows for considerably less cost to the business.

Take a Quick Tour

The Admin Portal is your secure self-service management console for your service subscriptions. All activity is safely logged and auditable. You may create users assign role based access controls, configure your service settings, view reports, manage invoices, and get help and support all from anywhere in the world.

Creating and managing your token definitions is performed through simple settings which adjust and dictate how the tokenization algorithm will behave. You may choose to create reversible, irreversible tokens or tokens only reversible in a specific time frame.  You will define the token type which will allow give you type specific options such as preserving case or spacing, or forcing a luhn check to fail or pass, or configuring date ranges for dates. In this portal you will also define the layout of your token. For instance a value of “T*” will tokenize every element in a value requested to be tokenized.  Alternatively a value of “CCCCT*CCCC”, would preserve the first four and last four characters in the resulting token and substitute only those characters in between. The service also supports the concept of Masking for each token definition. Similar to the Layout parameter, you may assign a masked layout that (if you allow getting a masked version of the token), can optionally supply more but not all real information of the real value.

Creating the security policy is easy as well. While the interface is simple, the security policy allows for as much access control that is needed. Your able to restrict clients by IP address and configure session timeouts. For any API call, a client must first create a temporary session in which subsequent operations can be invoked. So you can be as restrictive as 5 seconds to as tolerant as 1 hour. The shorter the life of your policy sessions the safer you are from replay attacks.

Creating your access control list is quick and painless. Simply assign the tokens and actions to the security policy.

After all is configured how you think it should be, you may test your settings with the built in Test Console. There is no magic here, just a simple GUI that takes your parameters and issues a SOAP web service call.  If a value is not tokenized correctly, or you feel something needs to be changed, you can go make the changes immediately and retest until you have it just right.

Having tested your configurations, your ready to hook EVT into your existing application(s) or process(es). We have pre-build packages for mainstream languages to give you a boost implementing. When using languages like .Net or Java it will simply be a library drop and adding a callout in your code. Using another language? Fear not, we’ll be there to help. Creating a webservice client is not a difficult task.

A proxy definition is unique to the EVT service.  Leveraging this feature allows you to transmit a structured payload to the EVT proxy service containing a protected value, and the proxy engine can perform an operation on that value in transit and outside the scope of your network, then transmit the resulting value and payload on to your configured destination.  This feature is useful in those instances where the business process requires that the real value be received by external vendors such a payment processors.

Join the Next Evolution of Security

With our subscription based model and friction-less implementation, making significant security improvements is cheap and easy.  We pride ourselves on clear and transparent pricing calculations.  Your subscription cost will vary by industry, type of data, and service usage.  Let us know of your interest today and we can provide you with sample cost and implementation plans.  We know you will be surprised to learn just how easy and cost-effective it is to begin using our services and take giant leaps forward in your defensible posture.

Keywords: mobile payment, payments tokens, tokenization process, cardholder data, cloud based, payment processing, industry standards, tokenized data, credit card numbers, connected devices

Contact us to learn more.