Tokenization vs. Encryption


When it comes to protecting sensitive data, tokenization and encryption are common solutions. Many businesses around the globe use a combination of these technologies to protect credit card data (PCI/CHD), personally identifiable information (PII), protected health information (PHI), automated clearing house (ACH) data, and more. 

Both tokenization and encryption technologies have long been integral tools for securing sensitive data. Although they both have a place in protecting data stored in the enterprise and when in transit, there are clear differences in the degree of security they provide, as well as the flexibility of their implementations. When compared side by side, tokenization is the superior security technology.

Encryption Alone is Not a Secure Solution

Encryption replaces a sensitive value—such as personal data, cardholder data (CHD), personally identifiable information (PII), protected health information (PHI), etc.—with a mathematically derived stand-in that, ideally, can only be read by an authorized entity in possession of the same encryption keys that were used to create the value. That little lock icon on a browser’s URL line indicates that data, such as a payment account number (PAN), is encrypted as it flows between the browser and the online store. This level of security is now ubiquitous for financial web transactions and helps to ensure that no middleman can read the encrypted PAN and other information.

Once the PAN reaches an online store’s web server, it’s decrypted and used by the retail software to charge the customer’s account, setting off a series of actions by the merchant, payment processor, and card issuers. Often the merchant stores the card data to make it easy for customers to make another purchase or to make recurring payments.

The strength of the encryption is based on the algorithm it uses to secure the data—a more complex algorithm will create stronger encryption that is more difficult to crack. However, all encryption is eventually breakable—it’s simply a matter of how strong your algorithm is and how powerful the computers are of those people trying to break it. So although encryption increases the difficulty of finding the real information hidden within the encrypted data, it does not make it impossible to be revealed.

When a merchant’s IT systems are breached by hackers, the database of customer PANs can be stolen and sold for fraudulent use, even if it’s encrypted. That’s the primary weakness of encryption—if a key is exposed in a breach, the encrypted data can be returned to its original, sensitive form. Encrypting data may make it temporarily secure while in transit, but once at rest in business systems, it is vulnerable to theft and decryption.


Tokenization Reduces Data Theft Risk

The primary difference—and benefit—of using tokenization vs. encryption is that tokenized data cannot be returned to its original form. Unlike encryption, tokenization does not use keys to alter the original data. Instead, it removes the data from an organization's internal systems entirely and exchanges it for a randomly generated nonsensitive placeholder (a token). These placeholders can be stored within an organization's internal systems for business use while sensitive values are safely stored outside of its environment. 

So, in the event that a tokenized environment is breached, no sensitive data or compromising keys/credentials would be revealed—only the nonsensitive tokens. Because no sensitive data is being stored, none is available to be stolen. In effect, the risk of data theft is virtually eliminated.

Tokenization Makes PCI Compliance Easier and Less Expensive

Due to its risk-reducing capabilities, tokenization is frequently deployed to protect cardholder information and other PCI data. With a PCI tokenization solution integrated into the payment stream, card data—usually a credit card primary account number (PAN)—is immediately sent to a secure cloud platform for tokenization. From there, it is stored and swapped with a mathematically unrelated token; the token is sent back to the merchant to use for additional processing and storage; and the real PAN is sent on by the token provider to the payment processor to complete the transaction.

Utilizing PCI tokenization to protect your payments stream has four distinct advantages over using only encryption:

  • The PAN is never accepted by the merchant in an unprotected state.

  • No version of the PAN is stored or transmitted by the merchant, only the token that represents it.

  • Tokens stolen during a breach are completely useless to hackers, as they cannot be returned to the original PAN.

  • There is no key management required—the sensitive data itself is securely stored in the cloud, out of the reach of hackers.

Ipad and Callout-CTA-PCI-Ebook---How-to-Stop-Data-Theft-10-Steps

Additionally, because encrypted data can be reversed, the PCI Security Standards Council and other governing compliance entities still view it as sensitive data. Therefore, using solely encryption to protect PANs stored in business systems does nothing to reduce the scope of compliance. Only removing the payment data completely and replacing it with tokens will actually reduce scope, cost, and risk.

The TokenEx Cloud Data Protection Platform is designed to tokenize and securely store all types of sensitive data, including PCI such as cardholder data and PANs. TokenEx has flexible methods of capturing and removing data at the farthest reaches of the organization. By removing payment data from an organization’s business systems, most, if not all, of the IT systems are subject to the lowest level of PCI audits, thus greatly reducing the scope and costs of compliance.

Implementation is Critical to Maximizing Security and Business Flexibility

Although the technology of tokenization is actually straightforward, implementation is key to ensuring it is secure and properly integrated with not only internal business processes, but also with third-party payment processors and vendors such as fraud-prevention service providers.

In the early days of tokenization, organizations chose to use on-premise models, where data and tokens are stored in the on-site databases and business systems. However, this method still enabled hackers to steal both sets of data, thus defeating the purpose of the security measures. Plus, with the actual payment data still on premise, those systems remained within scope of the PCI DSS. Nothing is really gained while there was potentially much to lose.

Recently, many business processes have moved to the cloud for increased flexibility, lower cost, and better security. When configured properly, cloud tokenization is much more secure and ultimately less expensive than on-premise solutions. With cloud tokenization, sensitive data is completely removed from an organization’s IT environment. This virtually eliminates the risk of data theft while simultaneously reducing the cost of PCI compliance.

TokenEx implements cloud tokenization schemes for a wide variety of industries and organizations of all sizes, with each project carefully implemented to minimize the disruption of business-as-usual processes. For more information about TokenEx's tokenization offerings, check out our credit card tokenization, PII compliance, and "What is Tokenization?" pages.

Tokenization and Encryption

Encryption alone does not completely secure payment or personal information. To secure data in transit and at rest, encryption and tokenization must work together, with each performing critical security tasks to protect sensitive data from theft at different stages in the payment stream. The TokenEx Cloud Data Protection Platform combines encryption and tokenization to provide a powerful, layered security architecture that significantly reduces the risk of data theft and the cost of PCI compliance, effectively protecting your data while saving you money.