Is Tokenization Better Than Encryption For Your Business?

19 Jul
2013

tokenization vs encryptionIf you have any experience with data security, you’re already familiar with encryption. Data encryption is the most common method of keeping sensitive information secure, and thousands of businesses around the globe use encryption to protect credit card data, personally identifiable information, financial account numbers and more. However, encryption has some drawbacks, especially when compared with tokenization. Below you will find tokenization vs encryption comparison.

Tokenization vs Encryption

Tokenization vs encryption explains how they differ from one another in protecting cloud data. Tokenization uses ‘token’ whereas encryption uses ‘secret key’ to protect the data.

 

The first, and by far the biggest, problem with data encryption is that it’s reversible. By design, encrypted data can be returned back to its original, unencrypted form. The strength of the encryption is based on the algorithm it uses to secure the data – a more complex algorithm will create stronger encryption that is more difficult to crack.

However, all encryption is eventually breakable – it’s simply a matter of how strong your algorithm is and how powerful the computers are of those people trying to break it. In this sense, encryption isn’t really data protection. Rather, it’s data obfuscation; it makes it much harder, though not impossible, to find the real information hidden within the encrypted data.

Another problem with encryption is that, because it’s reversible, the PCI Security Standards Council and other governing compliance entities still view encrypted data as sensitive data. In other words, it’s data that you need to protect, because it can be reversed back to the true information. As a result, organizations can expect significant capital expenditure in purchasing solutions to protect this encrypted data, and meeting compliance obligations can become a huge expense for businesses as well.

Additionally, if your business is noncompliant or your sensitive data should fall into the wrong hands, the fines can crush your company – PCI violation fines, for example, are rumored to be in the neighborhood of $25,000 a month for non-compliance, and approximately $133 per card in the event of a breach, according to the Ponemon Institute.

Tokenization, on the other hand, has none of these problems. That’s because tokenization doesn’t rely on encryption to protect data. Rather than securing information through a breakable algorithm, a tokenization system replaces sensitive data with 1-to-1-mapped random data within your environment. The original information is not contained within the token, and thus the token cannot be reversed into true data. It’s simply a placeholder, and it has no inherent value. Meanwhile, the real, sensitive information is stored in a different location entirely, such as a secured offsite platform. That means that sensitive customer data does not enter or reside within your environment at any time.

So, if a hacker should manage to break into your environment and steal your tokens, they’ve really stolen nothing. Tokens cannot be used for fraudulent purposes. Furthermore, tokens can’t be reversed independently of the secure platform or software by breaking an algorithm.

And because tokens do not contain any real data, only represent it, they aren’t subject to issues with compliance from PCI or other data security organizations. Thus, costly compliance obligations are reduced, if not eliminated, and there are no fines to worry about in the event of a breach. Tokenized data cannot be reverse-engineered into real customer information, no matter what.

Our company is TokenEx, a leading provider of cloud-based tokenization services for businesses and retailers. If you have sensitive information that you need to keep secure, you should take a look at our services pages, or contact us for more information.