Prime Factors Blog

Let's Talk Tokenization

Posted by Gwen Fremonti on Apr 18, 2017 10:00:00 AM


In our modern era of cyber-attacks and security breaches, the value of sensitive data detailing our financial transactions and personal lives is at a premium. From groceries to government, the threat of our potentially lucrative online existence being hijacked and sold to the highest bidder is foremost on the minds of both the public and digital security experts. And while it may sound counterintuitive, one of the safer data transfer processes could be one that attempts to render your valuable details completely worthless: tokenization. 

A marked shift toward tokenization has been underway since 2014, when EMVCo LLC  implemented specifications via EMV (Europay, MasterCard, and Visa). EMVCo's members also include Discover and American Express, so this change in how sensitive data is delivered and processed is set to become America's standard. It's not just financial data: everything from your driver's license, medical details, and voting profile all stand to benefit from being tokenized. So how does it work?

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

Tokenization Breaks Data Down and Scrambles It

Tokenization sees your data broken down, scrambled, and rearranged into a set of alphanumeric characters that are comprehensible only by you and the intended destination. In the instance of a credit card transaction, your financial institution won't have your actual details kept on-site. Those would be off-site and secure. Instead, your unique alphanumeric line (your token) is generated and used to complete the transaction in place of your real data. This new line usually includes the final four digits of your card number.

The token itself has no meaning; it merely represents your private details in a manner understood only by the desired endpoint. You might think of it like a chip from a casino: your big red chip may be worth $5,000 dollars as long as you're in the building, but if someone should steal it from you and cross the threshold, it would be rendered worthless.

How Scrambling Improves Security

With your sensitive and personally-identifying material no longer being stored on a company database thanks to the added level of security provided by off-site data storage, transferal by token presents a real headache for anyone trying to hack or intercept your data. Should any nefarious party succeed in doing so, they would find themselves in possession of a mixed-up series of numbers and letters with no way to translate what they represent or trace it back to you; the aforementioned big red casino chip.

Long-term, tokenization promises a reduction in hacking and data breaches, which means more peace of mind for both corporations and their customers. 

Though vaguely similar to an encryption process, tokenization differs in at least one important aspect. If a company or institution takes on a third party to handle the encryption of their sensitive data, the details are masked at point of entry and opened via a security key at the destination. Between points A and B, there is still the chance of data being intercepted by malicious parties. A greater risk factor is that encryption can involve an individual's actual details being stored internally by the receiving body. This loophole is one that tokenization seeks to close by maintaining identifiable data off-site at all times. At the same time, encryption offers additional important capabilities, including the ability to validate identity in online transactions (as a very specific key is required to unlock the data), and it can be used to safeguard unstructured data, such as long internal memos.

The Current State Of Tokenization

Due to the evolving nature of tokenization as a means of security, it's still a work in progress as far as meeting the exacting standards of the PCI DSS (Payment Card Industry Data Security Standard). Any entity which handles a client's confidential information must be on par with their regulations; regulations which many businesses find to be a very expensive proposition. But the key, convenient aspect of tokenization's off-site security makes conforming to basic PCI compliance a simpler matter, now that the standard has deemed it acceptable.

Get Up To Speed With Security Professionals

If you'd like to learn more about tokenization, encryption, and how both can be used to secure data, or about the PCI DSS, request a copy of our free white paper commenting on the PCI’s Tokenization Guide. And if you’d like to discuss instituting a full-service encryption solution, contact PrimeFactors to speak with a data security expert today.

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption.  

Topics: Tokenization, encryption, PCI Data Encryption, encryption keys