Tokenization and encryption both offer effective means of protecting data, but which is the right choice for your business? And what’s the difference between them anyways? Whether you’re a retailer, financial institution or healthcare organization, understanding these concepts is key to knowing which solution will best suit your needs.
What Is Tokenization?
When card information is tokenized, the primary account number (PAN) is replaced with a unique series of numbers referred to as a “token.” The PAN may be substituted by what’s called a “masked” or “dummy” value — it’s still readable, but not in an actionable format. Tokens are created using strong cryptography and random number generators, and the original PAN is completely replaced in a one-way operation that can’t be reversed.
The Benefits of Tokenization
Tokenized data is extremely difficult to decrypt — it would take an impractically long amount of time and computing power to crack the code by brute force. Tokens behave like any other data element for most purposes. This means that the data is not only protected, but it can be used for decisioning and analytics without compromising security.
Tokens are also flexible, since they can easily be assigned to any of your business units (i.e., lines of business or locations). You can put tokens back into readable form with a simple process known as “unmasking” that gives your company the freedom to use data how it needs to without compromising safety.
When tokenization is used with point-to-point encryption, both are combined for maximum security. This means only the card issuer has access to the original PAN and other sensitive information at any time — tokens can’t be manipulated or used to commit fraud.
What Is Encryption?
In encryption, the original PAN is secured using a method called “strong cryptography.” The information can be made unreadable to anyone who does not have authorization to access it. Strong cryptography scrambles data so hackers will need at least several more years of computing advancements before they can crack the code.
Data is encrypted in-flight when sent over a network and it’s also “at rest,” encrypted when the data is stored on a disk or in memory. Encryption can be combined with tokenization for even stronger security, but it doesn’t have to be.
The Benefits of Encryption
Enforcement of encryption standards is mandatory for all retailers that accept credit cards after October 1, 2015. This means your business needs to act now if you’re not already locked in with an encryption provider before the shift.
Although data is more secure using encryption than tokenization, it’s still possible for hackers to access encrypted information through brute force attacks or by simply stealing decryption keys. Another drawback is only authorized parties have access to the original PAN, so companies can’t use tokens for analytics purposes or business decisioning applications.
Which Is Best for Retailers?
Weighing the pros and cons of tokenization vs. encryption in retail contexts is difficult because it depends on your specific environment. If you’re already using encryption, it may be simpler to continue using that. If not, tokenization is often the way to go for many reasons.
First of all, once your business partners are involved in processing transactions through an acquiring bank or payment processor, it’s almost guaranteed that they’ll require tokens instead of unreadable encrypted data. These companies need to be able to use the data for analytics and business decisioning purposes. There are several other factors you should consider before making a decision, but one thing to keep in mind is tokenization is more easily integrated with other technologies.