As a business that accepts card payments, you’re in possession of a veritable treasure trove of sensitive cardholder data that hackers could steal and use to commit fraud.
That makes you a permanent target, and failure to adequately protect your systems could result in financial loss, reputational damage, and legal repercussions.
As such, you must employ a range of advanced techniques and technologies that actively fight fraudsters. Tokenization and encryption are two such methods for keeping payment data safe, both when it’s stored and when it’s in transit.
But how do they work? And is one more effective than the other? Below, we examine the differences between tokenization and encryption, and explore the role they can play in protecting your business and your customers.
Tokenization transforms sensitive cardholder information, such as the Primary Account Number (PAN), into a unique, randomized sequence of characters (a token) that has no intrinsic meaning.
Because it bears no mathematical relationship to the data that it’s disguising, a token cannot be unpicked or broken into by a hacker. That means that, even if it were to be stolen, it cannot be exploited by fraudsters.
With tokenization, the relationship between the token and original information is stored in a database called a token vault, which is, in turn, secured using encryption. When a customer makes a payment, the token is transmitted instead of the cardholder’s information. As the merchant, you will only ever store and transmit the token. The original data is stored in a secure cloud platform by the token provider.
Encryption uses an algorithm to convert sensitive data into a disguised, unreadable format called ciphertext. The only way to decrypt this text is to once again use an algorithm and the corresponding encryption key.
If you can see a lock icon before a URL, that indicates that the information on the page is encrypted using Secure Sockets Layer (SSL), which encrypts data when it’s being transmitted between a website or browser, or between two servers.
For example, when a customer enters their card details at checkout, SSL ensures the data is unreadable during transmission. It can then be decrypted when it reaches your online store’s web server and used by your payment processor to complete the transaction. It can also be stored for future payments.
However, unlike tokenization, because it’s based on an algorithm, encryption can be broken by a hacker. If a criminal managed to gain access to your systems and steal the encryption key, they would be able to return the data to its original format. This makes it less secure than tokenized data.
Learn more: point-to-point encryption (P2PE)
The biggest difference between tokenization and encryption is the relationship between the original data and the disguised data.
Both processes transform sensitive data into an unreadable format. However, tokenization substitutes that data for a meaningless sequence of characters that has no relation to the original. That data has absolutely no value to a fraudster. To retrieve the real data, the token has to be submitted to an encrypted token vault.
In contrast, if your data is only encrypted and your systems are breached by a hacker, they can steal the encryption key and return the encrypted data to its original form, which they can then use to commit fraud.
However, encryption has a wider variety of use cases. That’s because tokenization can only be used for structured data, such as card numbers and other numerical values. Encryption can be used to store much larger volumes of unstructured data, including entire documents, images, videos, and emails.
This makes tokenization great for ecommerce transactions, as well as subsequent purchases or recurring payments, while encryption is good for storing data at rest, in-person transactions, and over the phone payments.
Here are the pros and cons of tokenization:
Here are the pros and cons of encryption:
Both tokenization and encryption can play a role in protecting your sensitive data. In fact, the two processes can work together to keep payment information safe during storage and transmission.
Tokenization is perfect for protecting sensitive structured data like ID numbers and credit card details, and can help reduce your compliance burden. However, it can be difficult to exchange this data. Encryption can also be used to secure structured data and, unlike tokenization, large volumes of unstructured data (such documents or images). This data can then be exchanged with a third-party, who can encrypt it using an encryption key.
A cloud-based solution that combines elements of both encryption and tokenization is the best way to protect your business systems against bad actors.
Learn more: digital wallet tokenization
Tokenization is safer than encryption because there is no key or algorithm that a hacker could use to reveal its original value, and because the original data never has to leave the token provider’s database. In contrast, a hacker could return encrypted data to its original format by stealing the encryption key, and the original data is required to leave the organization during a transaction.
Checkout.com can help you fight fraud, improve your customer experience, and increase authorization rates through tokenization.
Whenever a customer uses a new card, we can automatically share a network token on your behalf with Visa or Mastercard. What’s more, we engage directly with card schemes and issuers to ensure that, if a card is lost, stolen or expired, the corresponding network token is updated with the new details.
Find out more about network tokens with Checkout.com.