How it works


Tokenize columns in production databases and in copies of databases before they are shared with third-party developers and big data environments.

Dynamic Data Masking

Administrators can establish policies that determine the dynamic masking approach: Return an entire field tokenized or dynamically mask only parts of a field. For example, security teams can establish policies so those with customer service representative credentials will only receive credit card numbers with the last four digits visible, while customer service supervisors can access the full credit card number.

Easy Implementation

IBM Guardium for Tokenization's format-preserving tokenization capabilities allow organizations to restrict access to sensitive assets without changing the existing database schema. A REST API implementation makes it fast, simple, and efficient for application developers to institute sophisticated tokenization capabilities.


IBM Guardium for Tokenization helps organizations comply with security policies and regulatory mandates like PCI DSS, Sarbanes Oxley, HIPAA, the GDPR, and more.

How customers use it

  • How to handle sensitive data?

    How to handle sensitive data?


    Your business requires that you store sensitive data but you want to protect it by making it usable only to your team and business applications


    IBM Guardium for Tokenization allows records to be used without revealing everything. Sensitive data is stripped and replaced with non-usable data for cross-network transfers, minimizing exposure to credit card and account numbers while in transit.

  • My company processes a lot of credit card information

    My company processes a lot of credit card information


    You need to make sure the credit card information your company processes is only usable by my employees and within designated applications


    IBM Guardium for Tokenization can tokenize credit card or other sensitive records no matter where they are stored or processed; including databases, files, applications or Teradata environments.

Technical details

Software requirements

Guardium for Tokenization requires a virtual data security module (DSM) virtual appliance depolyed on a VMWare hypervisor (ESXi Server 5.5 or higher) and a Tokenization virtual appliance deployed on a VMWare hypervisor (ESXi Server 5.5 or higher) .

The DSM virtual appliance may require additional resources based on the number of agents that are being managed.

Applications or Databases that need tokenized data are required to make REST API calls to the Tokenization virtual appliance (server) to receive tokenized objects. The following minimum requirements should be followed:

  • DSM Number of CPU Cores: 2 (min) and 6 (recommended)
  • DSM RAM: 4-16 GB minimum
  • DSM Hard Disk space: 100-200 GB
  • Tokenization server CPU cores: 4
  • Tokenization server RAM: 16 GB (min) and 24 GB (recommended)
  • Tokenization server Hard Disk Space: 100 GB

Hardware requirements

See software requirements.