All businesses, large or small, will collect, receive, store, and/or distribute data in some form. Wherever data is being handled, then organizations have a responsibility to keep the data secure.
There are many different ways in which this can be achieved, with tokenization and encryption being two of the most prominent examples.
We’re going to take a look at what each method involves, its advantages and disadvantages, and try to determine whether one method is significantly better than the other.
What is Tokenization?
You may recognize the term tokenization if your company offers chatbot support, although we’re not talking about the process in natural language processing here. In some ways, however, the principle is the same; both instances of tokenization involve taking information and changing how it is represented.
The type of tokenization we’re concerned with here is a branch of cryptography, the term which originates from the Payment Card Industry Data Security Standard (PCI DSS). In simple terms, tokenization involves taking a meaningful piece of data, and turning it into a string of random characters.
This string of characters is the token. Tokens are randomly pulled from a database known as a token vault to substitute the sensitive data. The token has no value of its own, acting only as a substitute for the data.
In the event of a data breach, there is no way to use the token to access the original data, keeping it secure. This is because tokenization doesn’t use a cryptographic method to transform sensitive business data, so there is no mathematical relationship between the token and the data it is protecting.
Tokenization uses the token vault database to store the relationship between the token and the original information. This means that even if a data breach occurs, there’s no way to reverse an algorithm to access the sensitive data the token is hiding, as would be the case with data that had been encrypted.
Tokens can be represented in a variety of ways. In some instances, tokens may incorporate characters from the information they are protecting to be more user-friendly. For example, a credit card number that has been tokenized for security may display as ‘************5678’, whereby the last four digits are of the actual card number.
The credit card number has been tokenized, so there is no way to access it, and the merchant only has access to the token. But by keeping the last four digits intact, a customer purchasing something online can identify which card or bank account they have used to make the purchase, without giving away any sensitive information.
Uses of Tokenization
Tokenization has a variety of applications. As mentioned above, tokenization is often used in eCommerce in order to protect the payment details of customers shopping online. Because the payment details have been replaced with a token, it’s impossible for the merchant to view the sensitive information.
When the card payment is to be processed, the token is submitted to the vault, and the real data that corresponds to the token is fetched for the authorization process. This process happens virtually instantaneously, performed automatically by the browser or application.
It's not just payment details that can be secured with tokenization. It can be used to hide all kinds of sensitive information, allowing it to only be accessed by the relevant parties with permission. Email addresses, telephone numbers, social security numbers; pretty much any kind of information you may have stored in your CX platform, can all be effectively protected through tokenization.
Advantages of Tokenization
The obvious advantage of tokenization is that it protects sensitive information in the event of a data breach. This is a major advantage of tokenization, giving the rising prominence of data breaches.
Tokenization doesn’t just benefit consumers by providing improved security, however. Businesses also benefit by having the in-house responsibility of securing sensitive data reduced. Any organization that collects sensitive information has a responsibility to protect that information.
Because tokenization uses a third-party database to securely store data, there is a reduced burden on businesses to supply the staff and resources to manage it. Storing tokens instead of vulnerable data simplifies the software and the procedures needed to remain compliant with data protection laws.
Disadvantages of Tokenization
There can be disadvantages to using tokenization as well as advantages. Firstly, tokenization adds complexity to your IT infrastructure. To ensure that the customer’s details remain secure they must go through detokenization and retokenization systems while being authorized.
However, it is worth keeping in mind that any complexity added by the security measures employed is a small price to pay to keep your customer’s data safe and maintain compliance.
Tokenization may not be supported by all payment processors, so you may need to investigate whether your preferred partners are compatible. It’s also worth remembering to investigate the security and reliability of the vendors that will be storing your data for you.
Storing data offsite will simplify procedures for your business, but it does mean you’re relying on third parties to keep your customer’s valuable data secure.
What is Encryption?
Encryption is another popular method of data protection and can be used to protect everything from an affiliate API to cloud storage. Unlike tokenization, it involves transforming existing data to keep it secure. Encryption uses algorithms to change plain text information into unreadable ciphertext.
For the information to be decrypted and made readable again, the data receiver requires an algorithm and a decryption key. This ensures that only the intended recipients of the information can access it.
File-based encryption (FBE) or full disk encryption (FDE) can be used. The former requires a separate encryption key for each piece of information to be accessed, and the latter allows a whole database to be viewed with one encryption key.
Symmetric and Asymmetric Encryption
There are two main approaches to encryption, symmetric key encryption and asymmetric key encryption.
- Symmetric key encryption uses a single key to encrypt and decrypt the information. This type of encryption is often simpler to set up, but it means that if the key is compromised, then all the data that it was used to secure becomes vulnerable.
- Asymmetric key encryption, or public-key encryption, uses two distinct keys, one for encryption and one for decryption. The public key can only be used to encrypt the data, and a second, private key is used to decrypt it. This reduces the number of parties responsible for the decryption key, therefore minimizing the risk of it becoming compromised.
Uses of Encryption
Encryption is one of the most commonly used methods for securing data, and as such is used in a wide variety of ways. Businesses use encryption to protect payment card information and cardholder data. It can also be used to protect personally identifiable information and non-public personal information.
Information transmitted on the internet is often protected using Secure Sockets Layer (SSL) encryption. Websites that boast SSL certificates have been verified as genuine, and therefore an SSL certificate is often used as a quick indicator of whether a website or eCommerce store is trustworthy, making it essential if you want to generate sales and boost customer retention.
Many computer operating systems and smartphone operating systems feature built-in encryption capabilities to protect personal information, to the point that many users perhaps don't even realize that they’re using encryption tools. Many types of third-party encryption software and apps are also available.
Advantages of Encryption
Encryption can be used to protect a wide range of types of information. Alongside personal information and financial details, encryption can also be used to protect unstructured data such as emails or files.
This means that large pieces of information can be easily protected with encryption, whereas tokenization is only really used for smaller pieces of data such as credit card numbers. If you’ve recently increased your customer base thanks to a new marketing campaign, you may well opt for encryption as a way to keep the plethora of new customer details safe.
Decryption keys are easily shared with others without creating security vulnerabilities, meaning that sharing information securely or accessing files remotely is easier with encryption than with tokenization.
Encryption can also be carried out very quickly. Large amounts of information can be secured in a relatively short amount of time, in contrast to tokenization, where each character of the data being secured is being changed.
Disadvantages of Encryption
Unfortunately, there are also disadvantages to using encryption. All a hacker needs to access the protected information is a key, so if they obtain access to it through nefarious means, then they have access to all the data encrypted with it. This is in contrast to tokenization, where each value is protected with a separate, randomized token.
There may also be some issues regarding software functionality due to encryption. The ciphertext used in encryption may not be supported by some software tools, so research may need to be carried out to ensure compatibility before selecting encryption software.
Finally, encryption often works best when used in conjunction with added layers of security, such as multi-factor encryption. Think of it as multiple layers of security working together to form a stronger whole, akin to a feature such as a sentiment analysis tool working to create a better chatbot experience. Adding extra layers of security may result in the encryption process becoming more costly and time-consuming than you originally planned.
Tokenization vs. Encryption
There are several key factors that you should consider when deciding whether encryption or tokenization is the correct choice for your business.
The kinds of security risks you may face will depend on which sector you’re operating in. A 2020 report found that the vast majority of details obtained in retail industry breaches were either personal details or payment details.
If you’re running an eCommerce store, you’ll be looking for a way to keep your customer’s payment details secure, just as you’ll be looking for ways to improve your inventory control or improve your sales enablement metrics. Tokenization provides an efficient and reliable way to do this.
If you’re operating in the healthcare sector and need to secure a large number of files or databases containing patient records, then encryption is probably a faster and more efficient method.
The types of security risks you may face will also play a part in which method you choose to protect your data. Tokenization is much harder to reverse than data encryption, which is easily reversed by design, as long as you have the decryption key.
Because tokens do not contain any of the original data, they are effectively useless to any outside parties who may manage to obtain them through hacking or other nefarious means. If your industry is one that is prone to hacks or other cyberattacks, then tokenization may well provide more effective protection.
If your business employs a lot of remote workers domestically, or even globally, then it is likely that they will have to share information in the cloud or through other remote methods. This is another factor to take into account when considering methods of protection.
Compliance is another factor to consider. Because encryption can be reversed, the PCI DSS considers it to be insecure, meaning that other methods of customer data protection must be used alongside it in order to be compliant with regulations. These other methods may result in additional costs to your business that you had not originally budgeted for.
Tokenization, on the other hand, is deemed to be compliant. This means that no other steps need to be taken in order to achieve compliance. This can reduce costs, and means that in the event that your environment does become compromised, you will not need to worry about fines or other repercussions.
Encryption is much easier to use at scale than tokenization. If your organization needs to encrypt large amounts of varied information, encryption can offer a more versatile method of protection.
Tokenization suffers from scalability issues, as increasing the number of tokens used increases the risk of collisions occurring. A collision occurs when attempting to assign the same token to two pieces of data.
The process must then be restarted to assign a new token that doesn’t already exist. The more information you have been tokenizing, the more chance there is that a token will be duplicated, which slows down the whole process.
Which is Best for Your Business?
Unfortunately, there’s no easy way to answer this question. In fact, the most likely answer is both.
Tokenization and encryption both offer surprisingly different pros and cons to safeguard your sensitive information. Tokenization provides security that is harder to undo but is unwieldy and inefficient at scale.
Encryption, on the other hand, is more easily reversed, but is much better suited to protecting large amounts of data, and makes sharing that information much easier.
You will have to carefully analyze the needs of your business to determine which method works best for you in different situations. What’s clear, however, is that both methods hold value in keeping your organization’s and your client's information safe.