How Vaultless Tokenization Works in Practice, to Transform Your Business

In last month’s blog post we explained how vaultless tokenization can transform PCI DSS 4.0 compliance from a regulatory burden into a business enabler. Not only does vaultless tokenization reduce the scope and cost of compliance, but it also preserves data utility to support monetization, customer engagement and fraud prevention efforts. Furthermore, vaultless tokenization delivers a secure foundation for building new payment products, enriched GenAI models, and new revenue channels.

Now it’s time to understand how to make these business goals a reality. This is how comforte’s vaultless tokenization operates across a hybrid environment within a payments network:

1- Ingestion and Entry
Cardholder data arrives over TLS (to confirm with PCI DSS 4.0) from web/mobile front-ends (e.g. Apache, Nginx). It then travels via client backend APIs and is stored in various datastores.

2- On-Premises Tokenization & Storage
Comforte’s vaultless SecurDPS cluster integrates directly into the client’s data pipelines. It then issues format-preserving tokens for primary account numbers (PANs) through different transparent integrators such as SDKs (Java/.NET/C++), filesystem filters, REST APIs, Kafka connectors, and Virtual File System—minimizing the number of required code changes and data touchpoints.
Operational & PII databases hold order logs and customer data. Although these are not directly subject to PCI DSS requirements, they would still need to be architected to meet specific compliance and security controls—like encryption at rest, network segmentation, and identity and access management (IAM). The client could consider deploying additional tokenization across these two database environments on a case-by-case basis to further reduce the risk of data exposure.

3- Controlled Detokenization for Gateways
Detokenization calls let the client send cleartext PANs to payment gateways (e.g. ACI Worldwide) while adhering to strict IAM and audit policies. Once the data is received by the payment gateway, the gateway provider (e.g. ACI Worldwide) is responsible for protecting the PAN under PCI DSS 4.0.

4- Protection Cluster Components
The Protection Cluster is the main component of SecurDPS—a centrally managed, scalable, and fault-tolerant cluster of virtual appliances that performs the actual protection operations. It consists of:

• The Management Console (MC) forms the heart of the Protection Cluster’s administration capabilities. It’s a hardened software node that securely houses all cluster configuration, encryption keys, and tokenization secrets. Upon startup, the MC injects this sensitive data into each Protection Node’s RAM (never to disk) to ensure that no secrets remain if a node is powered off. This design enforces in-memory-only key handling and all cluster operations—from policy updates to key rotations—flow through the MC under strict security controls.
• Protection Nodes (PNs) are the in-memory, stateless workers at the heart of the SecurDPS Protection Cluster. They provide high-performance, format-preserving tokenization or encryption for enterprise applications via transparent integrations or the SecurDPS API. Any number of PNs can be deployed across servers, data centers, cloud availability zones, and is even co-located with applications for optimal performance and minimal latency. This can all be done without writing data to disk. If a PN fails, the cluster automatically fails over to remaining nodes and self-heals by reinitializing the offline node to ensure uninterrupted protection and true fault-tolerance by design. SecurDPS’s Protection Cluster can be tightly integrated with a client’s existing Enterprise IAM to centralize user management, enforce granular Role-Based Access Control (RBAC), and produce end-to-end audit trails; the latter includes the actual user identity behind every tokenization or detokenization request.
• The Audit Console (AC) is an independent, scalable component—which can be run as a standalone or as its own cluster. It centralizes all usage metrics and audit streams from the Protection Nodes and Management Console. It ingests real-time log data via Kafka (as a message broker), then processes and forwards it through Logstash into OpenSearch (for storage and analytics) to present dashboards through OpenSearch Dashboards. Meanwhile, Rsyslog on each node captures and redirects syslog messages into this pipeline. By integrating seamlessly with the client’s existing SIEM, the AC delivers detailed, user-level visibility—showing counts of protection and reveal operations, failed authentications, and sensitive-data access patterns. This empowers security teams to monitor system health, detect anomalies, and satisfy compliance reporting requirements.

5- Enterprise Analytics & ETL (On-Premises)
Enterprise on-premises applications such as SAP ECC, Power BI/Tableau, Salesforce, and Dynamics consume a blend of tokenized and cleartext data. By leveraging comforte’s tokenization and transparent integration capabilities, data protection and deprotection can occur in-flight across all flows—letting business applications run without friction while enforcing strong security where it’s needed most.

6- Cloud Landing & Consumption
Tokenized (and encrypted) cardholder data and PII enter client cloud data stores (e.g. blob/S3/data lakes) via ETL pipelines. Any cloud-side detokenization routes back to on-premises SecurDPS under the same centrally defined IAM/audit guardrails.
Downstream services could include Mailchimp for marketing, Looker/Tableau for BI, Sift/Riskified for anti-fraud, or Snowflake/Databricks/Vertex/SageMaker for AI/ML. They work exclusively on tokens or partially detokenized data, but any cleartext PAN needs to invoke the SecurDPS cluster and strict access controls.

7- Hybrid & Deployment Flexibility
The comforte approach to vaultless tokenization has been designed to work seamlessly across a wide range of enterprise environments. Specifically, it:

• Supports SecurDPS clusters in both on-premises and cloud environments (Kubernetes, VMs, physical servers)—harmonizing tokens everywhere
• Features 10+ connectors/integration options—including SDKs, VFS, interpose, CASB, file/stream filters, Kafka, MQ, proxy, etc.
• Is deployable on-premises or via Kubernetes/Helm (hybrid or full-cloud) with minimal changes to application code or database schemas
• Offers cloud-native support for deployment on EKS, GKE, and AKS managed Kubernetes services

Time to Transform

PCI DSS 4.0 compliance is often viewed by business leaders as a necessary evil. However, when done right, it can open the door to tremendous new business opportunities and revenue growth while simultaneously mitigating regulatory risk. The comforte approach to vaultless tokenization helps unlock the door to these opportunities, while offering a robust yet flexible architecture designed to work with a range of enterprise payment environments.