A Key Encryption Key (KEK) wraps Data Encryption Keys (DEKs) in hierarchical key management. The KEK rarely encrypts customer records directly; it protects the DEKs that do. When you rotate a KEK, you re-wrap DEKs rather than re-encrypt entire databases, a faster, safer operation.
In bring-your-own-key (BYOK) deployments, the KEK lives in the merchant’s cloud KMS. The tokenization provider stores wrapped DEKs and cannot decrypt tenant data without calling the merchant’s KMS wrap/unwrap APIs, subject to IAM policies the merchant controls.
KEK policies are governance tools: freeze keys to block access during incidents, require dual control for unwrap, audit every cryptographic operation. They do not replace application security but give legal and compliance teams kill switches traditional SaaS keys lack.
Veliro’s BYOK integration uses customer-managed KEKs to wrap tenant DEKs. Operational tokens and scheme connectivity still run on provider infrastructure, but data-at-rest decryption requires the merchant’s KMS participation, aligning with enterprise key custody requirements.
Run a tabletop exercise that revokes KMS unwrap for a test tenant before production BYOK go-live; teams should know the exact blast radius and recovery steps before a real incident.