Q

Is credit card tokenization a better option than encryption?

Platform security expert Michael Cobb reviews alternatives to encryption that will help protect sensitive data.

Rather than encrypting sensitive data, is it better to keep it out of the database and replace the important information, like a credit card number, with a random token that then links back to a master database that will be used for particular transactions (tokenization)?

The concept of tokenization has been around for a long time. A simple example of tokenization is the case number in a criminal investigation. The case number itself is a token -- simply a piece of data that symbolizes or is used to reference another piece of data, which in this instance includes the details and notes about an investigation. A properly implemented token is not related in any way to the original data other than by re...

ference.

Tokenization was developed initially by Shift4 Corp. and has been around since 2005. Although it can be used with any kind of sensitive data, such as medical information, it was developed specifically to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. Sensitive card and transaction data is safely stored in a separate location, be it a different database, application or off-site data warehouse, and is referenced by a unique identifier. On the basis that you can't steal what's not there, it looks to be an exciting development in digital data security

There are implementation issues that need to be considered, though, and to answer your question, you still need encryption in my opinion. In order to replace any data with a token, you first need to process it, meaning the information needs to be transmitted to the data storage facility, so your security rests on the encryption of your communication channel. To avoid a man-in-the-middle interception or other type of attack, you need to use SSL with digital certificates at both the transmitting and receiving ends. The central storage location in a tokenization product needs to be ultra secure and use encryption as part of its defense in depth. It, and any company providing credit card tokenization services, certainly represents a single point of failure and an attractive target for hackers. Admittedly, the recovery of any data from tokens would require detailed technical knowledge of the system as well as a privileged level of access, but an insider could certainly pose a significant threat.

Tokenization does make it more difficult for hackers to gain access to sensitive data and is becoming a popular means of bolstering the security of electronic transactions. The all-important card data isn't stored on the merchant's point-of-sale equipment, making them PCI DSS compliant. But if the token could be used like a credit card number, it probably wouldn't meet the security standard; implementation is key. Also, banks have already spent a lot of money on alternative solutions so they may not be willing to abandon them in favor of this relatively new approach. If it really proves its worth, tokenization may become a data-security standard. Being cynical, the major card brands may not be too keen on it, given that they generate revenues by charging data security fees to their merchant customers.

This was first published in September 2009

Dig deeper on Database Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close