Originally featured on Tnooz
Day Four: Protecting data at rest and data in motion – Tokenization and encryption

As you may have noticed, VISA recently came out with guidelines for tokenization. This is after they already established guidelines for point encryption solutions.
Most believe that this latest guidance is indicative of what we will be seeing in the future from the PCI Security Standards Council.
The use of both tokenization and encryption is necessary to ensure protection of credit card information that is stored as well as information that is in transit.
But first, we must understand how each technology works.
Tokenization is the replacement of a data element (such as a credit card number) with another data element which serves as a reference to the original.
This replacement data element is also known as a token.
This token/reference number is stored in a hotel’s computer systems instead of the real credit card number so that if someone tries to steal the credit card number, all they end up with is a non-actionable token that has no value.
The value of a token is that it cannot be decrypted, derived, cracked, or reverse engineered to discover the original value.
Encryption on the other hand, is the process of transforming a data element using an algorithm to make it unreadable to anyone except those who possess the decryption key.
While both have their place, tokenization is more effective at removing data, as encrypted data is dependent on the strength of the encryption as algorithms as well as secure key management practices.
The best security strategy is a layered one where merchants employ both tokenization (to secure data at-rest) and encryption (to secure data in-flight).
By utilizing both technologies, hotel operators and merchants can reduce the scope of their PCI compliance audits, by ensuring data doesn’t reside in full on internal systems.