Encryption and Tokenization – What’s the Difference?

By: Nancy Bakanowicz


Recently, there have been a lot of terms being used when discussing payment cards, EMV, electronic transactions and the incredible amount of data they involve – and how to keep all that data safe. Data breaches at some very large companies and retailers have left consumers feeling a bit skittish and unprotected when it comes to their credit cards and personal information. Because PCI standards don't allow retailers to store credit card numbers on their POS terminals or databases after a transaction is complete, credit card companies use processes like encryption and tokenization to meet this obligation, but what exactly are they?

First of all, while encryption and tokenization essentially do the same thing – protect sensitive data from falling into the wrong hands – the way they go about it is very different. In encryption, the original data is masked so it is unreadable to anyone who does not have the proper unmasking key. The data is always there in its original form, it just won’t look like much to hackers and fraudsters unless they have the key. In end-to-end encryption, the data is scrambled at the point of entry into the system (swiping a card at a POS terminal, or entering a credit card number into a web browser to make a purchase) and unscrambled, or decrypted, at the conclusion of the transaction. While many experts believe this is a completely secure way of keeping data safe, some think it doesn’t go far enough, because although the data is encrypted, it is still in its original form, and if the decryption key is somehow broken, the data could be compromised.

Tokenization, on the other hand, may be cheaper and easier to use than end-to-end encryption, and some experts also believe it may be more secure. The reason for that belief is tokenization entirely removes credit card data from a company’s internal servers and replaces it with a completely random computer generated alphanumeric code, or “token.” The characters that make up these tokens do not contain any part of the credit card number and, in fact, have nothing to do with the original account numbers. As a result, there is no way a hacker can regenerate a card number from a token. Even if hackers or fraudsters were able to grab tokens off a company’s servers, they would just have a long list of letter and number sequences that mean absolutely nothing to them. This makes tokenization an ideal choice for any situation with ultra-sensitive data, such as bank transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

While both encryption and tokenization are secure and are appropriate for most situations, the big difference is encryption has encryption keys to manage, which can be difficult to administer or control. Tokenization does not require any such keys, so it is therefore easier to use. Businesses may feel that they have to choose one over the other, but that is not necessarily so – a hybrid approach based on the sensitivity level of the data and how critical it is to lock down the data can help determine whether encryption, tokenization or a combination of both is right for your business.