An Experimental Comparison of Enclave TokenVaults and HSMs for Real-Time Card Tokenization

Card tokenization in payment gateways is usuallyanchored on hardware security modules (HSMs) that store keysand execute sensitive cryptographic operations under PCI controls.This model is mature but difficult to scale elastically and not wellaligned with cloud native architectures that rely on horizontalgrowth on commodity servers. Trusted execution environments(TEEs), such as Intel SGX or confidential virtual machines, keeptokenization code and key material inside isolated enclaves whilethe surrounding gateway stack remains untrusted. This paperdesigns an enclave based token vault that sits in the real timecard authorization path, constructs a matching HSM backedbaseline that shares the same key hierarchy, token format, andstorage layout, and compares them under trace driven workloadsfrom a public anonymised credit card dataset. The core noveltyis a head to head experimental comparison of HSM backedand enclave backed token vaults under a shared workflow andreplayed transaction trace, which isolates the effect of the isolationboundary itself. We record end to end authorization latency,sustained throughput, and CPU utilisation for both designs, andstudy sensitivity to HSM round trip delay and operation mix.In our testbed configuration, the enclave backed vault deliversroughly 45% higher maximum stable throughput than the HSMbacked baseline while keeping 99th percentile latency withinonline authorization budgets, at the cost of higher CPU utilisationon gateway hosts. The comparison highlights where enclave tokenvaults can approach or surpass HSM based deployments andwhere certified HSMs still offer stronger assurances or operationaladvantages, providing guidance for hybrid designs in PCI sensitivepayment environments.