Card Vault API

I have been using Enigma Vault  for two years.

We use Enigma Vault  for securely handling sensitive data in our application. Whenever we need to store the data of candidates and enterprises, mostly for the enterprises side, we store it in Enigma Vault. The main use case is to tokenize and encrypt sensitive data, such as the card details of enterprise users, so that the application never stores or processes raw data, ensuring security and compliance.

For a specific example, whenever an enterprise user gets added to the application and wants to add 100 or more candidates, they have to pay some minimum amount. For payments, the user will add card details on the front end, but the back end will not store it directly. Instead, it will store it to Enigma Vault. Enigma Vault will perform the encryption of the card data and store it there, then return a token. My database only stores the token, not the actual card number. This approach is especially useful in microservices architecture where multiple services can safely use tokens instead of sharing sensitive data.

My system never stores the raw card data, but even if my database is hacked, it will only contain the token. An attacker will only get the useless token. We have reduced our PCI DSS scope significantly.

The best features Enigma Vault offers are tokenization. It is one of the best features that it provides. Whenever we give any data to it, it has the capability to tokenize combined with strong encryption, which allows our application to operate without even storing the sensitive data. The second valuable feature is data isolation. The actual data is stored only inside the vault and not inside our databases, which is very beneficial because there can be different attacks that an attacker can do to get the data from the database. If database data is accessed by the attacker, it can be very harmful for us. The third feature is the built-in compliance. It helps us achieve PCI DSS, SOC 2, even without building complex security systems. The main thing fundamentally changes the architecture from storing and protecting data to never storing sensitive data at all, which is a much more secure approach.

Tokenization is the feature I rely on the most during my day-to-day work because I don't need to store sensitive data, such as card numbers and PII numbers. Instead, I just need to store the random token, which is great for our application because tokens have no exploitable value. Even if the database is leaked, the data is safe.

This feature fundamentally changes the architecture from storing and protecting data to never storing sensitive data, which is excellent. Another valuable capability is the ability to search and operate on encrypted data. If data is encrypted, you normally cannot search it, but Enigma Vault allows searching such as name, email, and phone without exposing the raw data.

Enigma Vault has impacted my organization positively because right now we don't need to store the actual PII and credit card details of the enterprise users. The impact has been significant in terms of security, compliance, and development efficiency because we stopped storing sensitive card data and PII. We work in a European region where there are GDPR compliance requirements. The data of the enterprise users should not be shared with anyone and should be protected very carefully. Even in the case of a breach, only a token should be exposed. Reducing risk drastically is one of the major benefits. The second benefit is easier compliance. PCI DSS scope was reduced and audit effort is lessened. In our application, we have auditing logs, so every time there is a movement of anything, we need to audit that because we need to maintain all the history of the events that have happened. Auditing is reduced in this case because of the features that Enigma Vault provides. It saves time and has lower compliance costs. The third benefit is faster development. We don't need to build the encryption logic ourselves because it is already provided by Enigma Vault. We only need to focus on the business feature rather than security implementation.

After using Enigma Vault, our security metrics have improved drastically. The exposure of sensitive data has reduced by 90 to 95 percent at the application level. The number of systems handling raw PII is reduced from multiple to zero. We don't need to store anything in our database. There are also improved compliance metrics. PCI audit scope reduced by 60 to 70 percent, and audit preparation time reduced from weeks to a few days. We have reduced sensitive data exposure almost completely, cut compliance effort by over 60 percent, and improved development speed by around 30 to 40 percent.

There are some improvements that can happen. Enigma Vault is strong in security and compliance, but there are a few areas that can be improved. Better observability and monitoring would be helpful. There is limited deep insight into tokenization failure and API latency breakdown. It can be improved by detailed dashboards, logs, and alerts, which can help in faster debugging and production monitoring. Another area is lower latency for high-scale systems. Every request goes through the vault APIs, which adds latency. In our application we have 1 million users at the candidate side and around 100,000 at the enterprise side. We have latency issues which we need to consider. Lower latencies for higher scale systems would be beneficial. Improvements could be made through edge-caching for the token. AWS  provides these kinds of services such as CloudFront, so we can use these to store the tokens in the caches. There could also be regional vault deployment, similar to what AWS  does.

The APIs are good, but the development SDK support can be expanded a little because better documentation and examples would be helpful, especially for newer clients who are getting onboarded.

Developer experience can be improved, and observability is another area. As a developer, I will get the APIs and everything which is provided by Enigma Vault, but the documentation that they have is a little too overwhelming for a newer developer. They are not able to understand it easily. Documentation is one thing that can be improved if a developer wants to start working on it.

I don't think there is much downtime or any reliability issues. Enigma Vault maintains 90 to 95 percent availability and is working fine for our application.

Scalability-wise, Enigma Vault is very scalable. Because it is a pay-as-you-go structure, the more tokenization we need to generate, the more price we need to pay. It is an API-first SaaS platform that can handle increasing data volume and request load.

Up until now we haven't needed customer service from a code perspective. We haven't used customer support because the APIs and tokenization are working quite well. The support was not needed so far.

I did not use any different solution previously.

The setup was pretty simple. The pricing is subscription-based because it is a SaaS model. It depends upon the usage that we have. Every time we make an API call and the tokens that are being created, that is the setup structure. Initially, the setup cost is very low because it is a pay-as-you-go structure. Initially, you don't need to pay a big sum. The licensing is tier-based licensing, such as basic, limited, and enterprise. We use the enterprise high-volume pro add-on feature, which has SLA guarantees, dedicated support, and compliance features.

Development cost has been reduced because we don't need to build our own encryption model. PII data that we need to store for European clients are very specific about GDPR compliance because if the data gets leaked, it is very hard for us to move that application into further stages. Encryption systems must be very good because the data cannot be accessed by attackers. We needed to protect our data significantly. For that, Enigma Vault has reduced the development cost. Approximately 30 percent of development cost can be reduced because we don't need to think about encryption designing. Compliance cost is also reduced.

There is no big initial setup cost as it is a subscription-based SaaS model.

Previously, we did not use any other options, but I think HashiCorp Vault  was the one that our team discussed before using Enigma Vault.

There are pros as well as cons, but the pros are highlighted more prominently. The strengths are top-level security, tokenization, and encryption. Enigma Vault has strong PCI DSS and SOC 2 compliance support. It has an API-first design, which is very beneficial for developers to understand and easy to integrate. It reduces the data risk almost completely. I would not give a perfect score because there are latency issues that have occurred previously and a dependency on external vault availability. A regional vault is not provided, so that can be an issue.

If your product or application is in a country where PII information is very protected and the attacking is very brutal, for example, European clients have a structure where you cannot share the PII information with anyone. If that PII information gets shared by mistake, your application will be turned down by the government instantly, and you will not know what happened because their laws are very harsh in this situation. You need to protect your application from attackers. You need to store the data in some different place. Otherwise, it will cause so many issues at different levels that you will not know before the application is just turned off by the government. For that kind of situation, Enigma Vault is a great use. It has great usage and you can directly include it in your application to store the PII information. I would rate this product a 9 out of 10.