Tokenization Vs. Encryption: What You Need To Know

Tokenization is a popular buzzword among those in the payments security space nowadays, but for many, an important question remains unanswered: just how does tokenization work, anyway?

It’s a complex answer that requires a deep technical understanding, but it’s one that Adrian Lane, data analyst and CTO for Securosis, will break down for the masses during a Prime Factors webinar on May 21. What’s the difference between tokenization and encryption, and how do the technologies affect security and compliance? PYMNTS.com spoke with Lane to learn more.

According to Lane, the difference between tokenization and encryption lies in how they deal with the data they are attempting to replace. In a nutshell, tokenization actually removes data from a system and replaces it with an associated value. Encryption, on the other hand, is an “obfuscation” or “scrambling” tool, in Lane’s words, which leaves the original information intact, but makes it inaccessible without a proper key.

Lane says the distinction is one of the key takeaways he’ll try to impart on his Prime Factors webinar audience on May 21.

“I really want to give people the tools necessary to understand when it’s appropriate for tokenization and when it’s appropriate for encryption,” Lane said. “That’s really the common underlying theme of customer question.”

As for how tokenization is relevant in the payments security space, Lane cites PCI DSS certification, and notes that tokenization often leads to a simpler and therefor easier auditing, experience.

“PCI DSS is a huge problem for a lot of merchants, even the small merchants who don’t have to go through the full scope of an audit. They still have this issue, and really when it comes down to it, it’s simplification,” Lane said.

“With tokenization, you’re not worried about someone coming along and having or breaking or being able to reverse engineer the system in the future, and you’re not worried about admin keys being compromised and gaining access to the original data.”

To hear more Lane on tokenization and how it can benefit those in the payments space, sign up for the Prime Factors webinar on May 21 here. And for more of Lane’s initial thoughts, listen to the full podcast below.

   

*If you have trouble with the audio player above, click here.


Adrian Lane, Data Analyst and CTO, Securosis

Adrian is a Security Strategist and brings over 25 years of industry experience to the Securosis team, much of it at the executive level. Adrian specializes in database security, data security, and secure software development. With experience at Ingres, Oracle, and Unisys, he has extensive experience in the vendor community, but brings a pragmatic perspective to selecting and deploying technologies having worked on “the other side” as CIO in the finance vertical. Prior to joining Securosis, Adrian served as the CTO/VP at companies such as IPLocks, Touchpoint, CPMi and Transactor/Brodia. He has been invited to present at dozens of security conferences, contributed articles to many major publications.