Understanding the Differences of Tokenization vs. Encryption
The use of the term Tokenization has created a lot of stir in the market. In the fintech industry, it is one of the trending terms that gets exploited as an attention-getter. As a digital security industry, Tokenization popularity is fine because we all love attention but at the same time, we have also created a problem because by overusing “tokenization”, we run the risk of making the word meaningless.
Tokenization vs. Encryption takes on different meanings depending upon the context. The most common definition of tokenization is ”the process of substituting a sensitive data element with a non-sensitive equivalent, referred to as a token.” Tokenization is used to describe the chip used in amusement park rides, the data that’s replaced when making a digital payment, and to the partition of the rights for a loan in a blockchain-supported smart contract technology. Because of these varied examples, saying “tokenization” creates problems for people within the very same company working in different regions, let alone for different industries using tokens and tokenization in different ways.
When it comes to Enterprise Software, Tokenization vs. Encryption becomes a complimentary resolution to security. In order to shed some light into enterprise tokenization usage, we will explain how it is helpful for the digital payment, credit or debit card industries.
(excerpt from medium.com/coinmonks)
Tokenization on Blockchain is growing steadily since 2017. It seems that everything is being tokenized on Blockchain from paintings, diamonds, company stocks, and real estate.
Imagine that you have some property — say an apartment. You need cash quickly. The apartment is valued at $150,000, but you just need $10,000. Can you get this cash quickly and easily? To my best knowledge, this is next to impossible.
Consider tokenization. Tokenization is a method that converts rights to an asset into a digital token. Suppose there is a $200,000 apartment. Tokenization can transform this apartment into 200,000 tokens (in this example token value is arbitrary). Thus, each token represents a 0.0005% share of the underlying asset. Finally, we issue the token on some sort of a platform supporting smart contracts, such as Ethereum, so that the tokens can be freely bought and sold through different exchanges. When you buy one token, you actually buy 0.0005% of the ownership in the asset. Buy 100,000 tokens and you own 50% of the assets. Buy all 200,000 tokens and you are 100% owner of the asset. Obviously, without the proper transaction paperwork (like REPC) you are not a legal owner of the property, but you now have the financial rights to that asset.
Blockchain is a public ledger that is immutable, it ensures that once you buy tokens, nobody can “erase” your ownership even if it is not acknowledged by governing bodies or contractual agreements.
The main problem with token exchange is that no country has a solid regulation for cryptocurrency. For example, what happens if a company that handles tokenization sells the property? Token owners just own tokens. They have no legal rights on the property and thus are not protected by the law. Therefore, legal changes are needed to accommodate these new business models.
EMVCo is concerned about facilitating interoperability and acceptance of secure payment transactions, specifically at the point of sale where credit or debit card chips are used. This use of tokenization is where Sequent specializes in.
For the payment card industry, EMV defines tokenization as:
“The process by which the primary account number (PAN) is replaced with a surrogate value called a ― token. De-tokenization is the reverse process of redeeming a token for its associated PAN value.”
This means that the PAN value is replaced by a number that looks, feels, and performs, as the original PAN, but is completely valueless when operated outside of the scope for which the token was originally designed. The token possesses certain attributes decided its inception, setting if or when the token is used going forward.
For the card chip markets used to issue cards with lots of attributes other than the PAN, the token is the PAN surrogate. Or, markets where the chip is not prevalent and card payments are still based on magstripe type of credentials, a token may imply a full-fledged chip card credential that has been adapted to work with a limited use PAN replacement. The token attributes may be part of the token as well.
For this reason, when Sequent enters into discussions with a customer, we first work to understand their language and adapt to the language they use in their payment protocol.
On the other hand, the payment industry is also ruled by other governing bodies, like PCI, that define how payment data is stored and managed and promotes storing tokens instead of PANs as a wise alternative, reducing the amount of cardholder data transferred outside of firewalls. This protects Card Not Present transactions, also known as Card On-file transactions. CNP transactions have increased dramatically over the last few years, with e-commerce and subscription-based businesses, contactless payments, and other mobile wallet payment approaches. CNP transactions require businesses to store and manage payment card numbers to identify and reference customers, transactions, payments, and chargebacks.
Before the availability of Tokenization, merchants obscured card data using encryption.
TOKENIZATION VS. ENCRYPTION
Many ask, “How does encryption compare to tokenization?” This is a very legitimate question where both approaches can protect from data breaches.
Encryption obfuscates sensitive information. Tokenization removes it entirely from the system by moving it to another location.
Comparing the definitions help understand the benefits of both.
For starters, encryption conceals sensitive information, hiding it from “public” scrutiny. The strength of the encryption is based on the algorithm it uses to secure the data – a more complex algorithm will create stronger encryption that is more difficult to decode.
Data warehouses that only encrypt data are frequently targeted by cybercriminals who want to break the algorithm (assuming they can) and know that there is a large amount of data to be had, once accessed and decoded. They understand that the payout is big, and hence the large retail and FinServ data breaches are due to encryption vulnerabilities amongst other credential accessibility problems.
TOKENIZATION SECURES DIGITAL DATA
Tokenization removes the encryption risk in two ways:
- The card data never resides at the merchant processing center. Systems that used card numbers to identify customers use a new value that appears to be card data but is not. This eliminates the risk of exposure since the values are all false.
- Since the card data now lives in a new entity, such as a token vault, businesses can simplify their systems, reducing the PCI DSS certification components and associated costs. Tokens can be managed in-house or by third-party service providers, defocusing the location of cyber attacks.
Token Vaults only allow access to the token functions to registered Token Requestors, determining which token types and tokenization services are permitted. Access is restricted, and services within that access are predefined. The Token Vault needs to be protected from attacks by all means available, and that means physical and logical.
Tokens are not purely mathematically created, but also randomly generated, and this adds a new security layer. Token Vaults can create new card data (tokens) in an irreversible or reversible manner so that in order to tokenize and de-tokenize card data, they can apply a mathematical algorithm or a look at table map in a database. Tokenization should not use a mathematical process to transform sensitive information into a token. There is no key, or algorithm that can be used to derive the original data for a token. Instead, tokenization uses a database mapping the relationship between the sensitive value and the token. The real data in the vault is then secured, often via encryption. Even in the case of data being hacked and broken into, data acquired should only be valid for one single payment card.
MULTIPLE SECURITY MEASURES ARE THE SAFEST
In the end, there is no one single solution that is going to be the key to reduce the risk to zero. There must be a number of techniques used and each technique applied where it is most suited. Encryption only reduces the scope of risk if the solution is validated in the specific system for which is audited.
The advent of tokenization is shifting the attack vectors to which we are all accustomed. The old saying goes that one system is only as strong as its weakest link and that the effort to break a system must be greater than the gains of succeeding. Encryption and tokenization used to protect the data transmitted with Point-to-Point solutions and Token Vault to protect data at rest do work in harmony when used correctly. It is of utter importance to understand the system you want to protect as much as the solution being put in place to protect it.