Question
Design a tokenized-payment vault that replaces raw card numbers (PANs) with tokens so the rest of the platform never touches cardholder data and the PCI-DSS scope is minimized. Scale: 200M stored cards, 40K tokenization/detokenization ops/s, used by checkout, recurring billing, and fraud systems. Threat model: a breach of any non-vault service, an insider in the vault team, and the need to support network tokens and re-tokenization on key rotation. Constraints: detokenization must be authorized per-purpose, fully audited, and the vault is the only system in PCI scope. Cover the token scheme, storage/encryption, access control, and scope minimization.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.