Tokenization vs. Encryption
Tokenization vs. Encryption
Tokenization Versus Encryption
Both tokenization and encryption technologies have long been integral tools for securing sensitive data. While they both have a place in protecting sensitive data stored in the enterprise and when in transit over the Internet, there are clear differences in the degree of protection they provide, as well as implementation flexibility. Let’s break down the differences and see where both techniques fit best in an organization’s security strategy. We’ll focus primarily on payment data in these examples, but it can be any type of sensitive data such as personally identifiable information (PII) or protected health information (PHI)—all of which is valuable to hackers.
Encryption Alone is Not a Secure Solution
Encryption replaces sensitive data with a mathematically derived value which, ideally, can only be read by an authorized entity—machine or human—that has the same encryption keys that were used to create the value. That little lock icon on a browser’s URL line indicates that data, such as a payment account number (PAN), is encrypted as it flows between the browser and the online store. This level of security is now ubiquitous for financial web transactions and helps to ensure that no “man in the middle” can read the encrypted PAN and other information.
However, once the PAN reaches an online store’s web server it’s decrypted and used by the retail software to charge the customer’s account, setting off a series of interchanges among the merchant, payment processor, and card issuers. Often the merchant stores the card data to make it easy for customers to make another purchase, or to make recurring payments.
But how secure is the payment data when it is at rest in the databases and business systems? How many business systems are touching that card account number during processing, and are they all secure? When a merchant’s IT systems are breached by hackers, the database of customer PANs can be quickly siphoned off to the far corners of the dark web to be sold for fraudulent use, even if it’s encrypted. After all, encryption is just computer-driven mathematics, and all it takes is another powerful computer and clever software to decrypt it. That’s the basic weakness of encryption—it can be reverse engineered back to the original data. Encrypting data may make it temporarily secure while in transit, but once at rest in business systems, it is vulnerable to theft and decryption.
Another weak point in using only encryption to store sensitive data is that every person or business process needs to have access to the encryption keys to decrypt the data when ever it is used in a business process. This means the keys to the kingdom, so to speak, are available in multiple places and can be harvested right along with the data during a breach.
Tokenization Eliminates Data Theft Risk
Let’s trace the same path using tokenization in addition to encryption. The first stage is the same, from browser to online store. But once the payment information is accepted to initiate the sales transaction, the data either remains encrypted or is immediately re-encrypted using different keys. With a tokenization solution integrated into the payment stream, the encrypted payment data is immediately sent to a secure data vault, where it is stored, and swapped with a mathematically unrelated token. The token is sent back to the merchant to use for additional processing and storage. The real PAN is sent on by the token provider to the payment processer of choice to be verified, charged, and the confirmation returned to the merchant to complete the transaction. Adding tokenization to the payment stream has four distinct advantages over using only encryption.
- The PAN is never accepted by the merchant in an unencrypted state.
- No version of the PAN is stored or transmitted by the merchant, only the token that represents it.
- Tokens stolen during a breach are completely useless to hackers as they cannot be reverse-engineered back to the original PAN.
- The keys to tokenization are stored in the secure cloud vault, out of the reach of hackers.
To understand why cloud data vaults are secure, read this article about TokenEx Secure Data Vaults.
Tokenization Makes PCI Compliance Easier and Less Expensive
Because encrypted data can be cracked, the PCI Security Standards Council and other governing compliance entities still view it as sensitive data. Therefore, just using encryption to protect PANs stored in business systems does nothing to reduce the scope of compliance. Only removing the payment data completely and replacing it with tokens will actually reduce scope, cost, and risk.
The TokenEx Cloud Security Platform is designed to tokenize and securely vault all types of sensitive data. TokenEx has flexible methods of intercepting and removing data at the farthest reaches of the organization. By removing payment data from an organization’s business systems, most, if not all, of the IT systems are subject to the lowest level of PCI audits, thus greatly reducing the scope and costs of compliance.
Implementation is Critical to Maximizing Security and Business Flexibility
While the technology of tokenization is actually straight forward, implementation is key to making it completely secure and tightly integrated with not only internal business processes but also with third-party payment processors and service providers such as fraud prevention.
In the early days of tokenization, organizations chose to use on-premise tokenization, where data and tokens are stored in the on-site databases and business systems. However, this method still enabled hackers to steal both sets of data, thus defeating the purpose of the security measures. Plus, with the actual payment data still on-premise, those systems still fell within a high level of PCI compliance. Nothing is really gained while there was potentially much to lose.
In the last few years, many business processes have moved to the cloud for increased flexibility, lower cost, and better security. Tokenization with secure cloud data vaulting is much more secure and ultimately less expensive than on-premise solutions. With cloud tokenization, sensitive data is completely removed from an organization’s IT environment. This is the only way to both eliminate risk of data theft and reduce PCI compliance costs.
TokenEx implements cloud tokenization schemes for a wide variety of industries, for organizations of all sizes, with each project tuned to ensure business continues to operate at internet speeds. For more information on the methods TokenEx uses to implement tokenization, read these articles on browser-based encryption, web services APIs, and hosted payment pages.
Tokenization vs Encryption or Tokenization and Encryption
In summary, encryption alone does not irrevocably secure payment or personal information. To secure data in transit and at rest, encryption and tokenization must work together, with each performing critical security tasks to protect sensitive data from theft at different stages in the payment stream. The TokenEx Cloud Security Platform implements encryption, key management, and tokenization to provide a highly secure, layered security architecture that eliminates risk of data theft and reduces the cost of PCI compliance. Only the TokenEx Cloud Security Platform can keep all your data safe while actually saving you money.