If you have any experience with data security, you’re likely already familiar with encryption. Data encryption is the most common method of keeping sensitive information secure, and thousands of businesses around the globe use encryption to protect credit card data (CHD or PCI), personally identifiable information (PII), financial account numbers, and more. However, encryption has some drawbacks, especially when compared with tokenization.
Both tokenization and encryption technologies have long been integral tools for securing sensitive data. Although they both have a place in protecting data stored in the enterprise and when in transit over the Internet, there are clear differences in the degree of security they provide, as well as the flexibility of their implementations.
Encryption Alone is Not a Secure Solution
Encryption replaces a sensitive value—such as personal data, cardholder data (CHD), personally identifiable information (PII), protected health information (PHI), etc.—with a mathematically derived stand-in that, ideally, can only be read by an authorized entity in possession of the same encryption keys that were used to create the value. That little lock icon on a browser’s URL line indicates that data, such as a payment account number (PAN), is encrypted as it flows between the browser and the online store. This level of security is now ubiquitous for financial web transactions and helps to ensure that no middleman can read the encrypted PAN and other information.
Once the PAN reaches an online store’s web server, it’s decrypted and used by the retail software to charge the customer’s account, setting off a series of actions by the merchant, payment processor, and card issuers. Often the merchant stores the card data to make it easy for customers to make another purchase or to make recurring payments.
The strength of the encryption is based on the algorithm it uses to secure the data—a more complex algorithm will create stronger encryption that is more difficult to crack. However, all encryption is eventually breakable—it’s simply a matter of how strong your algorithm is and how powerful the computers are of those people trying to break it. In this sense, encryption isn’t really data protection. Rather, it’s data obfuscation. It makes it much harder, though not impossible, to find the real information hidden within the encrypted data.
When a merchant’s IT systems are breached by hackers, the database of customer PANs can be stolen and sold for fraudulent use, even if it’s encrypted. That’s the primary weakness of encryption—if a key is exposed in a breach, the encrypted data can be returned to its original, sensitive form. Encrypting data may make it temporarily secure while in transit, but once at rest in business systems, it is vulnerable to theft and decryption.
Tokenization Reduces Data Theft Risk
Let’s trace the same path but with tokenization. The first stage is the same, from browser to online store. But once the payment information is accepted to initiate the transaction, the data either remains encrypted or is immediately re-encrypted using different keys. With a PCI tokenization solution integrated into the payment stream, the encrypted payment data is immediately sent to a secure cloud platform, where it is stored and swapped with a mathematically unrelated token. The token is sent back to the merchant to use for additional processing and storage. The real PAN is sent on by the token provider to the payment processor of choice to be verified, charged, and confirmed to complete the transaction. Adding tokenization to the payment stream has four distinct advantages over using only encryption:
- The PAN is never accepted by the merchant in an unencrypted state.
- No version of the PAN is stored or transmitted by the merchant, only the token that represents it.
- Tokens stolen during a breach are completely useless to hackers, as they cannot be returned to the original PAN.
- There is no key management required—the sensitive data itself is securely stored in the cloud, out of the reach of hackers.
Tokenization Makes PCI Compliance Easier and Less Expensive
Because encrypted data can be reversed, the PCI Security Standards Council and other governing compliance entities still view it as sensitive data. Therefore, using just encryption to protect PANs stored in business systems does nothing to reduce the scope of compliance. Only removing the payment data completely and replacing it with tokens will actually reduce scope, cost, and risk. If your business is noncompliant, the fines can hurt your company’s bottom line—PCI fines, for example, are rumored to be in the neighborhood of $25,000 a month for noncompliance.
The TokenEx Cloud Security Platform is designed to tokenize and securely store all types of sensitive data. TokenEx has flexible methods of capturing and removing data at the farthest reaches of the organization. By removing payment data from an organization’s business systems, most, if not all, of the IT systems are subject to the lowest level of PCI audits, thus greatly reducing the scope and costs of compliance.
Implementation is Critical to Maximizing Security and Business Flexibility
Although the technology of tokenization is actually straightforward, implementation is key to ensuring it is secure and properly integrated with not only internal business processes, but also with third-party payment processors and vendors such as fraud-prevention service providers.
In the early days of tokenization, organizations chose to use on-premise models, where data and tokens are stored in the on-site databases and business systems. However, this method still enabled hackers to steal both sets of data, thus defeating the purpose of the security measures. Plus, with the actual payment data still on premise, those systems remained within scope of the PCI DSS. Nothing is really gained while there was potentially much to lose.
Recently, many business processes have moved to the cloud for increased flexibility, lower cost, and better security. Cloud tokenization is much more secure and ultimately less expensive than on-premise solutions. With cloud tokenization, sensitive data is completely removed from an organization’s IT environment. This virtually eliminates the risk of data theft while simultaneously reducing the cost of PCI compliance.
TokenEx implements cloud tokenization schemes for a wide variety of industries and organizations of all sizes, with each project carefully implemented to minimize the disruption of business-as-usual processes. For more information about TokenEx's tokenization offerings, read these articles on browser-based encryption, web services APIs, and hosted payment pages.
Tokenization and Encryption
Encryption alone does not completely secure payment or personal information. To secure data in transit and at rest, encryption and tokenization must work together, with each performing critical security tasks to protect sensitive data from theft at different stages in the payment stream. The TokenEx Cloud Security Platform combines encryption, key management, and tokenization to provide a powerful, layered security architecture that significantly reduces the risk of data theft and the cost of PCI compliance, effectively protecting your data while saving you money.