Prime Factors Blog

Should I Consider Tokenization in My Business?

Posted by Pete Flagella on Sep 13, 2016 12:27:25 PM

Find me on:

39590367_s.jpgThe term tokenization is used in a variety of ways, which can make the concept confusing even for security professionals. Like everyone, you're probably used to working with a limited budget, and it may seem like you couldn't consider adding another expense into the mix. However, there are ways that you can actually save money using this method of protecting your information, and we'll tell you how to approach the decision.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

How is Tokenization Used?

Tokenization is a method of replacing data (e.g., a social security number) with a random set of data that references the original information and can be used to obtain the original data by authorized parties, but would be unreadable to a hacker. This method does not use math like encryption does, but rather it uses a token vault that houses the direct relationship between both pieces of information. Data can be stored and sent without fear that it will be lost in transit, and the original information never leaves the premises in its unmodified form. If the data is sent anywhere, it's sent in its tokenized form only. The token itself will refer back to the original information, meaning that an IT professional or authorized employee would access the system that controls the tokenization process in order to view the original data.

To utilize tokenization in your environment, look for software based on best security practices, allowing you to easily comply with protection regulations set by federal standards. Your tokenization system should be isolated from the data processing systems that hold the sensitive information, and it needs to be the only method of accessing the data itself. For example, you can’t have readable credit card information available elsewhere. Also, the token generation solution needs to be immune to a cyber attack, decryption analysis, or brute force.

Why Use It Over Encryption?

Encryption is highly recommended when you need to keep data safe, but tokenization has made strides recently and has successfully found a niche in both small and large businesses. Depending on your type of business, encryption may not make as much operational sense as tokenization. Though both methods actively work to keep information safe, encryption requires a lot more attention and management by both employees and IT managers. Encryption requires establishing proper key management processes and procedures, which can be difficult for companies to organize cost effectively. Encryption can sometimes require sacrificing speed and work flow performance, though there certainly are use cases where this is more than justified given the level of protection provided. That being said, tokenization provides a level of protection that may be sufficient for regulatory compliance and data protection, without impacting service delivery performance. In fact, many large organizations use both encryption and tokenization to secure data in order to finely balance security/privacy requirements and business requirements.

What Are The Caveats?

There's a reason that encryption is still preferred over tokenization for many use cases, and tokenization may not be an ideal solution for everyone. Overall, encryption is more secure because, when performed correctly, it can provide true end-to-end data protection. If you work with information the release of which could destroy your brand or compromise your competitive advantage, you may want to use encryption rather than tokenization to secure that data. Also, tokenization is less forgiving when it comes to how you organize your data. You'll need to be very specific about what you want to generate tokens for, and you must you preserve the format of the information if there is to be no loss of security.

In short, tokenization works well if your customers or clients use the same process for practically everything, and where all of your business activities are consistent, predictable, entirely structured. Tokenization will be extremely problematic if you need to transmit data as-is to a third party affiliate. Generally, companies that deal with almost entirely sensitive and potentially unstructured data, such as pharmaceutical companies, financial services, or health care organizations, use encryption. If you are in those fields, you may want to look into either using only encryption or some combination of encryption and tokenization.

Can I Do Both?

As noted, you can certainly use both encryption and tokenization and still meet compliance requirements. This may mean using tokenization to handle less critical data and encryption for top-secret pieces of information. If your company deals in highly routine transactions, meaning there are few pieces of information that would fall into a miscellaneous category, then you can rely more on tokenization. For example, when Qatar National Bank was hacked, they not only lost financial information to hackers but also information about the royal family and even classified government information. Their approach should have included a combination of advanced, full-scale encryption covering their most precious information, as well as less secure, but faster, tokenization where warranted. This doesn't mean that tokenization is not effective, and for many small and medium businesses, or specific businesses units in larger enterprises, tokenization could well be the answer to your data protection and business needs.

How Can Tokenization Benefit My Business?

Data is everywhere and, and companies can face serious challenges when it comes to keeping it all safe  - whether they use encryption or not. IT departments may not understand the best ways to go about securing data, potentially introducing ideas that are too technical for people to follow or with no proportion considering business realities. Key management and digital certificates have proven to require an investment in time and energy that you may not have. Though there are ways to make key management easier, if there's not enough resources for it in your organization, you might make the mistake of skimping on important tools and techniques to save yourself time and money.

But, just like skimping on insurance coverage and then having your house catch fire, a data security breach can make company owners wish they had spent the money to mitigate the risk when they had the chance. And let there be no mistake: losing control of your data can land you in extremely hot financial waters.

Tokenization is a simple solution that puts a big wall between you, and hackers or user error. If your auditing process is normally a nightmare, tokenization means less time gathering information and proof to ensure you aren't fined or otherwise hindered in your operation. Unless you are specifically required to utilize encryption, tokenization complies with the HITECH act as well as the measures laid out for PCI DSS compliance in terms of your financial data.

Do I Have to Do It?

For a company to keep their data safe, there are a variety of approaches they might consider. However, government regulations are built so that those who skip a few steps in the process can fade real consequences if caught. Once, companies could use traditional swipe technology to process credit card transactions, even though it's notoriously easy for hackers to lift information off a stripe and use it for their own gain. Before October of 2015, businesses would not be held liable for those charges nor would they necessarily even be connected with the breach itself. Now, regulations stipulate that companies may be liable for fraudulent card activity if they aren't using the new EMV chip technology, which uses a more sophisticated system to run a standard credit card.

Companies that keep sensitive personal health information (PHI) are now subject to million dollar fines if they're seen as failing to care for their patients' data. The HITECH act specifically states that the theft of encrypted data does not fall under their definition of “security breach,” meaning that a company wouldn't be subjected to fines. Your business has its own set of rules, and you should know them inside and out. Generally, though, you should be following the principle of doing everything you reasonably can to protect data from falling into the wrong hands. When done correctly, tokenization is an accepted way to fulfill your obligations and keep your customers out of harm's way.

Can't I Just Use Anti-Malware?

Anti-malware is helpful insofar as it can ward off lazy hackers, but these types of solutions simply haven't been working for businesses. Enough businesses have been caught unaware while using unsophisticated and insufficient security methods that the federal government has had to get involved when it comes to enforcing the security and privacy of citizens' information. Also anti-malware can lead to a false sense of security, since most hacks are caused by employee error. Tokenization can take some of the pressure off employees and put control in the hands of a few trusted people. Large conglomerates may get all the negative news coverage in terms of the breaches they have suffered, but smaller businesses face as much, if not more danger, largely because it's easier to hack into their systems due to a lack of enforced security – a fact criminal hackers know well.

Can Tokenization Disrupt My Business?

The short answer is no. If you're using tokenization to secure your financial information, your payment process will essentially run as it always has. With the right provider, implementing tokenization is quick and painless. For example, adding tokenization to your payment process lets you accept credit card payments in person, online, or over the phone as you always have, as well as void transactions or issue credits or refunds. Behind the scenes, your sensitive information is replaced with tokens, protecting the real information from access by the wrong people.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption