AWS Partner Network (APN) Blog
How Thales Enables PCI-DSS Compliance with a Tokenization Solution on AWS
By: Sanyam Bassi, Principal Solutions Architect – Thales
By: Nizar Kheir, Senior Solutions Architect – AWS
 |
 |
Data privacy regulations are tightening globally, requiring organizations to enhance their security posture for sensitive data processing and storage in the cloud. This is particularly acute for Banking, Financial Services, and Insurance (BFSI) customers as they continue to migrate their critical workloads to AWS, and where compliance with stringent standards like the Payment Card Industry Data Security Standard (PCI-DSS) is mandatory.
Among the security controls available, tokenization is a security technique that replaces sensitive payment information, such as cardholder data (CHD), with cryptographically generated, non-sensitive identifiers called tokens. Each token is mathematically unrelated to the original data but preserves its format, making it both secure and usable. This approach reduces the amount of sensitive data within an organization’s systems, thereby decreasing the number of systems in scope for the PCI-DSS audit and saving on costs associated with compliance.
Organizations implementing tokenization face architectural decisions that shape their security posture and operational efficiency. They view tokenization not in isolation, but as an integral part of their security and compliance framework. This perspective creates a balance between data protection and business agility—addressing how sensitive data flows through systems while maintaining operational continuity.
Modern tokenization architectures offer two distinct approaches to meet business needs. Centralized token vaults provide unified control and simplified token management across the organization, while distributed, vaultless solutions offer advantages through real-time token generation without database dependencies. The choice depends on data sovereignty requirements, performance metrics, and existing security infrastructure. As threats emerge and regulations evolve, organizations need security solutions and technologies that can be implemented and configured to meet these changing requirements.
Thales provides both vaulted and vaultless tokenization solutions that help organizations meet PCI-DSS compliance requirements. These solutions enable businesses to implement robust data protection mechanisms while maintaining the agility and scalability benefits of the AWS cloud.
In this post, we’ll explore how the newest Thales’ CipherTrust Tokenization Solution, CipherTrust RESTful Data Protection, implemented on AWS, helps organizations meet PCI-DSS compliance requirements while protecting sensitive payment data. The platform replaces sensitive data with format-preserving tokens and, as a cloud-native solution built on AWS, integrates natively within a customer’s AWS environment.
Tokenization is a key component of the Thales CipherTrust Data Security platform (CDSP), which helps businesses protect their data across multiple environments and applications while addressing various security requirements.
Thales CipherTrust Data Security Platform (CDSP)
Thales CDSP helps users manage their sensitive data through three key functions: discovery, protection, and control. This streamlines security administration and simplifies compliance reporting.
Figure 1: Thales CipherTrust Data Security Platform
The key advantages of Thales CDSP are:
- Centralized key management and control – Manage all cryptographic keys across multiple environments from a single platform, ensuring consistent policies and practices, and reducing the complexity of managing encryption keys by centralizing the process, making it easier to deploy and maintain.
- Compliance and audit readiness – Ensure adherence to regulatory requirements such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), and PCI-DSS, by securely managing and protecting sensitive data. This includes maintaining detailed logs and reports for all key management activities, simplifying audit processes and demonstrating compliance
- Scalability and flexibility – Manage keys across cloud and on-premise, enabling seamless data protection wherever data resides, while also extending functionality as needed with modules for tokenization, encryption, and access control.
- Data security and availability – Protection for data at rest, in transit and in use through tokenization, encryption, data generalization, data masking, redaction, fine-grained access controls, and high availability features ensuring continuous service even in the event of a hardware failure.
- Integration with existing systems – Integrate with existing applications and workflows through APIs, enabling seamless adoption without disrupting business operations.
Thales CDSP Tokenization Workflow on AWS
Thales CDSP offers both vaulted and vaultless tokenization methods with two fundamental operations: tokenization (converting sensitive data to tokens) and detokenization (restoring the original data when authorized).
In the tokenization process, users interact with a web application to submit sensitive data in plaintext. This data is then securely tokenized using Thales’ CipherTrust technology, replacing the original sensitive data with a non-sensitive equivalent before storing the data in a database.
In the detokenization process, the application fetches the tokenized data from the database and detokenizes it based on predefined access control policies that correspond to the user. This process ensures that sensitive information is exposed to users based upon their permissions, maintaining data security throughout its lifecycle.
Thales CDSP on Amazon EKS
Thales CDSP leverages a RESTful API to protect sensitive data through diverse cryptographic operations and data protection methods. The solution is deployed within an AWS region using an Amazon Virtual Private Cloud (Amazon VPC), and leverages AWS services to provide a scalable, secure, and compliant environment for handling sensitive data, while Thales’ CipherTrust technology ensures tokenization and key management capabilities.
At its core, it utilizes an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that orchestrates three primary components:
- A WebApp deployment providing the user interface
- A CipherTrust RESTful Data Protection (CRDP) pod managing tokenization operations
- A MySQL deployment handling secure data storage
Figure 2: Thales CDSP Data Tokenization Process
As shown in Figure 2, the data tokenization workflow begins with user requests being distributed through an AWS Application Load Balancer (ALB) to WebApp pods. This architecture enables horizontal scaling across multiple AWS Availability Zones within the same region, ensuring both high availability and fault tolerance. When tokenization is required, the WebApp pod forwards the plaintext data to the CRDP pod. The CRDP pod then interacts with the Thales Virtual CipherTrust Manager, which is hosted on a separate Amazon Elastic Compute Cloud (Amazon EC2) instance located either in the same or in a separate VPC. The virtual CipherTrust Manager provides the necessary keys and protection policies for the tokenization process. It acts as the central management point for CDSP. It manages key lifecycle tasks including generation, rotation, destruction, import and export, provides role-based access control to keys and policies, and supports auditing and reporting.
The CRDP pod tokenizes the data according to protection policies managed in CipherTrust Manager, then sends the tokenized data back to the WebApp, which finally stores it in the MySQL database.
Figure 3: Thales CDSP Data Detokenization Process
Figure 3 illustrates the data detokenization process. When detokenization is needed, the WebApp retrieves tokenized data from the MySQL database and sends it to the CRDP pod. The CRDP pod then consults Thales CipherTrust Manager for the policies corresponding to the user and performs detokenization based on the user’s access rights.
Thales CDSP Customer Highlights
Thales’ CipherTrust Data Security Platform has enabled global enterprises to achieve significant benefits. For instance, a financial services organization rapidly discovered and protected over 50% of their data while centralizing 100% of their key management, which reduced the impact of a breach. A telecom provider consolidated cryptographic key management across on-premises and the cloud. Another financial firm used CipherTrust for protecting assets while simplifying compliance and policy management.
These customer highlights showcase the CipherTrust platform’s broad applicability and tangible benefits across industries. The CipherTrust platform’s data discovery, classification, protection, and centralized key management capabilities have helped enterprises enhance security and drive operational efficiencies.
Conclusion
As organizations across various industries, such as financial services, healthcare, and telecom, migrate workloads to the cloud, they need effective data protection solutions to meet compliance requirements. Thales’ tokenization solutions on AWS help businesses use cloud computing while maintaining data security and compliance. Organizations using Thales’ tokenization on AWS can protect sensitive data including credit card numbers, social security numbers, and other personally identifiable information. The solution helps meet PCI-DSS requirements while securing data from potential threats.
The integration of Thales CipherTrust with AWS services, including Amazon EKS and EC2, enables customers to build secure and compliant environments for handling sensitive data using AWS cloud-native technologies.
We invite organizations to explore how Thales’ tokenization solution on AWS can address their data protection and compliance needs. For more information on implementing Thales’ tokenization solution on AWS and to learn how it can benefit your organization, please contact your AWS representative or consult Thales products on AWS Marketplace.
References
Start a free trial. CipherTrust RESTful Data Protection FREE 90-Day Trial (thalesgroup.com)
Get hands-on practice through a self-paced workshop. Thales CipherTrust Data Security Platform (CDSP) Introduction
.
Thales – AWS Partner Spotlight
An APN Advanced Technology partner, Thales offers comprehensive solutions that enable businesses to maximize the value of their AWS deployments while maintaining the highest standards of data security and compliance. This partnership exemplifies how AWS collaborates with industry leaders to provide customers with cutting-edge solutions that address their most pressing security and regulatory challenges.