data recoverydata recovery software

By Michael Ryan

It’s a frightening time of year with Halloween right around the corner.  To get our readers in the spirit of the holiday, we are dispelling the scariest of myths that impact merchants today and offering a bit of a treat.

Earlier this week, we discussed the battiness of considering EMV as the solution to all credit card security woes.  It is hardly the case, and nothing can really take away from a layered approach to security.   Today, we’ll look at the two technologies that are often layered together but have most merchants uncertain about the differences between the two.

Spooky Myth of the Day: Tokenization and Encryption are interchangeable terms.

With the recent buzz over encryption and tokenization being used to secure cardholder data the lines sometimes get blurred between the two terms. Thankfully the PCI Council will publish a guidance document early next year that will provide clarification. Until then the debate will continue because the definitions can overlap but for card processing purposes the line can be drawn based on how each may be used.

Here is a simple way to differentiate the two.

Tokenization is the replacement of a data element (such as a credit card number) with another data element the token. The token is typically assigned randomly and a mapping of the relationship between the two data elements stored in a secure environment.

Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.

With today’s technology both tokenization and encryption can be incredibly secure by itself. It really comes down to how each may be used for securing cardholder data. Specifically it is possible to map tokens to a particular card number such that subsequent uses of that card always return the same token. This card-to-token relationship allows merchants to use their cardholder data for analytical purposes such as to understand a particular consumer’s behavior over time or across channels as well as for velocity tracking to root out and prevent fraudulent transactions.

The encryption solutions used to protect cardholder data today provide a unique value each time a card is used to prevent reverse engineering of encryption keys and algorithms. It is also impractical for security and storage reasons to house card-to-token mapping at the point of sale.

So the line is best drawn by how tokenization and encryption may be used… and like my fellow blogger recently said, we think they are used best when paired together… like chocolate and peanut butter! Encryption is ideally suited to be used by the point of entry to secure data in-flight while tokens may be used for storage and leveraged for analytics and fraud protection.

Visit us later this week for the next spooky myth.  If you have other myths that you’d like to add, include it in a comment below.

Comments

There is one comment for this post.

  1. Merchant Link SecurityCents :: Encryption PCI Compliance Tokenization :: Tis the Season: Don’t Let the Grinch Get in the Way on November 19, 2010 6:38 am

    [...] of the most common uses of card data is to help with chargeback disputes.  Visa’s recent PAN Truncation Guidelines has shattered the myth that full card numbers are needed for this purpose. Ask the tough questions [...]

Write a Comment

data recoverydata recovery software