Tokenization Guide: What is Tokenization and why is it different than Encryption?

Tokenization is the process of replacing any original, payment, sensitive or personal data from business systems with identification symbols (tokens) that contain all the essential data and thus improving security. Tokenization adds an extra layer of security to sensitive data. It is often used to prevent credit card fraud and ultimately to prevent hackers from reaching our sensitive credit card information or more and in this Tokenization Guide, you will learn more details about Tokenization and the difference between Tokenization and Encryption.

And with the surge of popularity of digital wallets like AliPay, PayPal, Google Wallet and more, tokenization will become increasingly more valuable to the whole financial ecosystem. The tokenization technology and industry have been developing at an increased rate and in the future it is estimated that you could potentially tokenize every type of intellectual data. Learn more in this Tokenization Guide. So what is Tokenization?

Tokenization Guide: What is tokenization?

Tokenization is a popular process of data protection that is used to increase data security by lowering the amount of data that businesses have to keep on hand. Tokenization can be used by businesses of all sizes to increase the security of transactions and to lower the cost for complying with government and industry standards and regulations. Standards for the Payment Card Industry do not allow businesses to store credit card numbers in databases or in their Point-of-sale terminals (POS) after a transaction is made.

To comply with the Payment Card Industry standards, merchants need to incorporate into their business an end-to-end encryption system or to outsource their payment processing to a provider that offers tokenization services. This tokenization provider is responsible for maintaining the security of valuable information and locking it down. He must issue a driver for the Point-of-sale system that will replace valuable data with randomly generated tokens.

Tokens can’t be used outside the concept of unique transactions made between both parties. With credit card transactions, the token contains only four numbers from the actual credit card and encrypts the rest of the valuable information by replacing it with alphanumeric symbols. These symbols are a mishmash of numerals and letters. Tokenization can be used with all kinds of valuable information, which includes voting data, criminal records, medical records, vehicle data, driver’s information, loans, stocks, payment transactions and other.

Tokenization Guide: How does Tokenization work?

The original information is stored in a secure data vault, that is separate from business systems and each data set is replaced with an undecipherable token. Tokens can be single or multi use. Example for a single use token is a one-time card transaction. Multi use tokenization is for storing the card number of repeated customers in a data base.

In older systems, card holder’s information or other sensitive data was stored in databases, which made it really easy for hackers to access the database. Tokenization makes it a lot harder for hackers, as only the system that tokenized the information can detokenize it with only the token. When the valuable information is replaced, the original value is encrypted and is send to a secure vault for data. In order to get the information back the system needs to swap the token for the original data.

Detokenization is the reversing process and can only be executed by the original tokenization platform. Only the original tokenization platform can use the tokens in your systems to swap back the corresponding and primary numbers. After the data is detokenized, it is then sent to the payment processor for authorization. After authorization the payment can be processed and provided. Your system never store, process or transmit the primary account number, only the token. There is no other way to obtain the data from just the token.

Tokenization Guide: Differences between Tokenization and Encryption

Simply speaking, Tokenization takes the original data, randomizes it through the Tokenization platform’s algorithm so that if you can’t mathematically get back to the original data and creates a token. On the other hand, Encryption takes the data and runs it through an algorithm, using of course the key to the encryption to transform plain text into cipher text. Using the key, you can get back to the original data by deciphering it. Encryption uses keys that solves the encryption and allows you to decrypt the value, but also allows for hackers to have a chance at solving the encryption. Encryption basically makes it harder to get the information.

An interesting fact is that the PCI Security Standards Council still considers encrypted data as payment card data or sensitive data. This Payment Card Industry data that is encrypted is still up for audit, so the data will have to be decrypted, then encrypted again and more costs pile up when you have to use all the services for you to be PCI compliant. Encryption is great for businesses or platforms that do not retain data in their servers or data base. Also encryption is great if you can build a great system around it and maintain it.

But if you have to retain data, tokenization makes it much easier and cheaper. Also, if you retain the sensitive data, you also hold the key, so a hacker can potentially hack the system and get a hold of the key. So it is much better to tokenize the information and get it out of your system. If someone steals the tokens, they can’t get to the original data, which means that these tokens have no meaning or value. An ideal system will use both tokenization and encryption, but encryption requires more computational power than tokenization.

Tokenization vs Encryption details

  • Mathematically reversible: Encryption
  • Reduces PCI scope: Tokenization
  • End-to-End security: Tokenization
  • Rotation of Keys required: Encryption
  • Payment flexibility like refunds, chargebacks, etc.: Tokenization
  • PAN Data displayed: Encryption
  • Established security: Encryption
  • Centrally managed: Tokenization
  • Low cost per transaction: Tokenization

Tokenization Guide: Types of Tokens

Tokens can’t be exacltly classified. A common classification is single and multi-use. But there are also other classifications like reversible or irreversible, cryptographic or non-cryptographic, authenticable or non-authenticable and many others variations. But in the context of payments, tokens are divided between High-value tokens (HVT) and Low-value tokens (LVT), which are also security tokens.

High-value tokens: They serve as fodder or surrogates for PANs in transactions. In order for them to function, they must look like an actual PAN. Multiple high-value tokens can map back to a single PAN and a single physical credit card. HVT are mostly used to complete payment transactions. High-value tokens can be bound to a specific device or devices so that anomalies between token usage, physical devices and even geographic locations can be flagged as fraudulent.

Low-value tokens: Also referred as Security tokens, they also act as surrogates for actual PANs in transactions, but their purpose is different. Low-value tokens can’t be used alone to complete a transaction and in order for a low-value token to function, it must be possible to match it back to the actual PAN it represents. Using tokens to protect PANs becomes ineffectual if a tokenization system is breached.

Tokenization Guide: Tokenization of Things

In the future, we will see the tokenization of many industries. Cryptocurrencies destroyed the barriers and opened the world towards alternative and digital economies and showed that the Internet is the new middle man for almost everything. It won’t be long before you will be able to tokenize your real estate, you intellectual property or even your fan base. Notary jobs will be a thing of the past, as the new tokenized properties won’t need a Notary middleman, because the whole ecosystem will reach a consensus that you are the owner.

Potentially, anyone with a big enough community around him can create a new digital economy of tokens, which will be used to incentivize and develop the ecosystem. The opportunities are real and I am sure that Tokenization will play a big role in the economy of the future. Tokenization use cases are so much that it will be interesting to see which technology giant will take the most advantage of this industry.


Guides Tokenization

Share This