listen to this article:
Tokenization and encryption are the main technologies used to secure sensitive data such as credit card numbers. These two security standards are used to secure sensitive data that can be used to prevent financial fraud. Beyond that, they help satisfy the regulatory requirements such as those under PCI DSS, GLBA, HIPAA-HITECH, ITAR, and the GDPR.
However, despite achieving the same goal, the two technologies are quite different, and they are suitable for different purposes. Encryption has been the standard security technique for decades, and even though it is still highly effective in most cases, the system has some drawbacks when it comes to financial data. Most organizations are now adopting tokenization to benefit from the extra utility, agility, and flexibility while reducing the compliance scope. In this post, we look at tokenization vs encryption and when tokenization should substitute encryption in an organization.
What is Encryption?
Encryption is the process of transforming readable data into ciphertext through an algorithm. The algorithm uses an encryption key to convert data into ciphertext and reverse it to the original plain text format.
Types of Encryption Schemes
There are two types of encryption algorithms:
- Symmetric Key Encryption: This type of encryption uses a single key to encrypt and decrypt the data. This means that the security of the encrypted data relies on how secure the key is. If the key is compromised, all data that has been secured with it can be unlocked.
- Asymmetric Key Encryption: This encryption method is also known as Public Key Encryption, and it uses two different but mathematically related keys to encrypt and decrypt data. The encryption key is made public, but the decryption is only known to the owner, who is the intended recipient of the data. This encryption method is more secure as it nullifies the need to transmit the private key.
The Strength of Encryption
Encryption is effective in protecting data in storage and transit as long as it is implemented properly. This can be done using secure encryption algorithms such as AES and RSA, although you’ll still need to use the proper key size and mode of operation store it in a secure cryptographic key management platform.
What Digital Assets Can Be Protected with Encryption?
The best part about using encryption to protect sensitive data is that an organization can secure both structured fields such as email addresses and unstructured data such as entire files and even hard disks. Apart from that, you can easily scale to large data volumes as all you need is the encryption key.
The Drawback of Encryption as a Protection Method
To secure sensitive data, encryption simply converts it to ciphertext without necessarily persevering the format or size of the original data. This makes it not suitable for structured data such as the personal account number (PAN) on payment cards as it needs to meet database or additional applications format requirements.
Apart from that, encrypted data can’t be searched, a functionality that is necessary for data such as SSNs and names.
What is Tokenization?
Tokenization is the process of converting sensitive data into a string of random, meaningless characters (non-sensitive data). To protect sensitive data, tokenization simply creates a relationship between the token and the actual data. The technology is designed with the primary goal of making it possible for organizations to process payments without storing sensitive data.
Forms of Tokenization
There are two major forms of tokenization.
- Vault Tokenization: In this technique, the system maps sensitive data to meaningless data and stores both in a secure vault. The organization receiving the payment only has access to the non-sensitive data, which can then be de-tokenized for processing whenever necessary.
- Vaultless Tokenization: Vaultless Tokenization generates a token through an algorithm without mapping the original data to a vault. The generated token can then be used to recreate the original data without needing a tokenization vault.
To ensure that vaultless tokenization also retains the original format, it uses format-preserving encryption (FPE). This makes it possible to store data without altering the underlying database structure, enables data searching, and allows scaling up and down.
The Benefits of Tokenization
Tokenization was introduced to make it possible to encrypt structured data while keeping the format and making it possible to pass validity checks.
As an example, when a credit card number is tokenized, it can be set to retain the original format while still achieving encryption. For example, a credit card number 4539 8042 6815 7598 can be tokenized to 2819 3465 0028 7598. This achieves the format required by systems that process payments and also helps satisfy the Luhn checksum. And since the last four digits (or any other) can be left untokenized, the number can then be masked and presented to the user as **** **** **** 7598.
In contrast, encryption with AES CBC mode will encrypt this number to a string such as qf61lytJ8I2kflOcQbOCUlX1yH+vAL1-nRoLgKkId+o%. Format-preserving encryption schemes can be used instead, but they need to be combined with tokenization in a vaultless tokenization system.
Who is Tokenization For?
Tokenization is an appropriate choice for organizations that receive online payments and financial institutions that generate account numbers.
The burden of securing such data is too much to bear in one system, so introducing an external security provider for tokenization greatly reduces the scope and enhances compliance.
However, the technology is not restricted to just payments. An organization should use tokenization as long as its business needs require saving sensitive user information such as social security numbers, passport numbers, driver’s license numbers, email addresses, telephone numbers, and physical address, among others.
Such a security system will help the organization cut down on expenditures, reduce the attack scope, and enhance compliance.
How Tokenization Supports PCI DSS Compliance
The biggest advantage of tokenization is that it helps merchants reduce their obligations under the Payment Card Industry Security Standards Council (PCI DSS). These standards are established by the Payment Card Industry Security Standards Council (PCI SSC), which consists of the five major payment brands: Visa, MasterCard, American Express, Discover, and JCB. The standards apply to all organizations that wish to process, store, or transmit customers’ card data issued by these brands.
To remain compliant, your organization needs to follow 12 requirements laid out in the PCI DSS. These requirements touch on network security, protecting cardholder data, vulnerability management, access control, and information security personnel management.
PCI DSS compliance is not a requirement by law, but it is crucial for every organization that processes financial customer data. Non-compliance by such an organization can generate fines of $5,000 to $100,000 per month until the organization achieves compliance, while a breach can result in penalties of up to $500,000 per incident when the organization is non-compliant.
Tokenization for Secure and Compliant Payment Solutions
Tokenization is a key piece of technology that helps achieve security and compliance by reducing the attack and compliance scope. Vaultless tokenization is the safer and more efficient of the two options as it does not maintain a database, but you’ll also need to ensure that you use a secure cryptographic key management system. This way, you’ll be able to meet international regulatory compliance obligations such as such as the PCI DSS, CCPA, HIPAA-HITECH, GLBA, ITAR, and the GDPR.