StrongKey tokenization and encryption protects sensitive application-level data.

Protecting Sensitive Information

Protecting the privacy of personal account numbers (PANs) and personally identifiable information (PII) is critical to complying with privacy standards such as GDPR, HIPAA, and PCI DSS. StrongKey Tellaro uses tokenization, encryption, cryptographic key management, and ANSI Derived Unique Key Per Transaction (DUKPT) to ensure sensitive information is handled securely and never stored in cleartext.

What is Tokenization?

Tokenization is the process of turning a valuable piece of data, such as a PAN or PII, into a random string of characters called a token that has no value if stolen. StrongKey Tellaro uses tokenization and encryption to generate tokens representing the real data that can be stored safely in a data repository, such as a database, without the risk of exposing private data to malicious insiders or outsiders. Sitting between the customer's application and database, StrongKey Tellaro encrypts and decrypts the data without storing any unencrypted data.

Application Level Encryption and Strong Authentication

Application Level Encryption and Strong Authentication (ALESA) combines StrongKey's capabilities in tokenization, encryption, cryptographic key management and FIDO strong authentication to protect data and ensure the highest level of authentication assurance. StrongKey provides an end-to-end approach to security where strong authentication is the first line of defense, and tokenization and encryption are the last lines of defense.

StrongKey Also Handles PKI Management

Our PKI Management software module provides secure key and certificate generation, storage, and management. Including an onboard root CA and HSM, our Tellaro-E appliance meets FIPS 140-2 Level 3 compliance standards. We allow financial providers to securely manage keys and digital certificates for TLS, digital signatures, authentication, machine identities, secrets vaults, and IoT devices.


PCI DSS Compliance

Accelerates compliance with the toughest PCI DSS requirements:
3.4–Render PAN unreadable
3.5–Protect cryptographic keys
3.6–Implement key management
4.1–Use strong cryptography
4.2–Never send unencrypted PANs

Industry Standard Support

Base Derivation Key (BDK)
Symmetric/Asymmetric Key ManagementANSI X9.24-1:2009 Derived Unique Key per Transaction (DUKPT)
End-to-end encryption for “card-present” transactions
Protect data and personal identification numbers (PINs)
Escrow RSA public keys for devices

Broad Integration

Supports integration with databases, payment gateways, POS credit card terminals

Hardware-based Cryptoprocessor

Standard FIPS 140-2 Level-2 TPM or optional FIPS 140-2 Level-3 HSM to provide the most secure environments for master keys.


Tellaro: FIDO strong authentication, Encryption, Tokenization, Pseudonymization, Digital Signatures, Key Management, Card Capture, Payments, IoT, PKI
StrongKey Tellaro is a comprehensive software suite that provides strong authentication, encryption, tokenization, PKI management, and digital signature management. Our open-source software includes a FIDO® Certified FIDO2 server, and we support flexible data center and cloud deployment models.


Physical Appliance

  • Encryption and Tokenization is a standard feature of the StrongKey Tellaro appliance
  • The Tellaro appliance does so much more than just encryption and tokenization—it's your one-stop shop for for strong authentication, key management, PKI, and several other disruptive defenses
  • Tellaro appliances protect cryptographic keys with either a TPM or HSM

StrongKey Hosted Solution

  • For the best of both worlds, use the Tellaro appliances but let us manage them for you
  • Stored in our secure data centers around the globe, you pay a simple all-inclusive subscription


  • Hardware-based Security
    StrongKey Tellaro supports the highest levels of authentication assurance based on NIST guidance; additionally, our appliance uses an onboard FIPS 140-2 Level 2 validated cryptographic hardware module in the form of a trusted platform module (TPM) as a standard feature—with the option to configure it with a hardware security module (HSM) for FIPS 140-2 Level 3 compliance—providing some of the highest protection available for key generation, use and storage
  • Cost-effective
    Our solutions are sold with no per-user or per-transaction fees; we also offer custom integration and professional services
  • Integration and Support
    We provide integration and support services for FIDO testing, development, and production; PKI device on-boarding and provisioning; PCI DSS compliance and system integration; and customized support services for enterprise and SMBs
  • Open Source
    StrongKey is committed to the open-source community. Our software is available for free download on GitHub and SourceForge via the GNU Lesser General Public v2.1 License; StrongKey provides full support, maintenance, and upgrades for purchased versions of our software
  • Experience
    StrongKey has been helping Fintech companies for more than 15 years; see our customer testimonies below


A magnetic stripe reader reads credit card data and encrypts it with the standard DUKPT algorithm.
The Encrypted DUKPT BLOB is transferred with end-to-end encryption from the Merchant Application to the Payment Gateway Application.
The Payment Gateway Application passes the encrypted DUKPT BLOB to StrongKey's 'tokenize' REST API endpoint.
StrongKey decrypts the DUKPT BLOB, reencrypts and tokenizes the PAN, and returns a JSON with a 16-digit token to the Payment Gateway Application.
The Payment Gateway Application stores the tokenized transaction in the database while the Tellaro does the “heavy lifting” with the cryptographic processing, storing cryptographic keys and encrypted card-holder data.
The Payment Gateway Application returns the tokenized transaction to the Merchant Application, which stores it in its database.