Our Secure Payment Solutions partner, 3Delta Systems, is often asked “What’s the difference between encryption and tokenization – aren’t they the same? Which is better for safeguarding data and meeting PCI security compliance requirements? And how do we decide which is better?”
The short answer is they’re completely different technologies – and polar opposites when it comes to handling and securing ¬sensitive data, such as credit cards numbers.
The purpose of most encryption tools and techniques is to mask original data, then allow it to be decrypted. Encryption uses an algorithm to scramble credit card information that makes the data unreadable to anyone without a proper key. The original card data, however, stays intact and often resides on a company’s internal networks – thus creating vulnerabilities.
Encryption is most often “end-to-end,” which means confidential credit card data is obfuscated at the point of entry (e.g., when someone enters card data into a web browser to buy an item) and decrypted when the purchaser’s authorized credit card information reaches its intended destination (e.g., a merchant’s e-commerce database).
Many companies have found tokenization to be cheaper, easier to use and more secure than end-to-end encryption.
Tokenization completely removes credit card data from a company’s internal networks and replaces it with a unique, generated placeholder, or “token” – much like emptying a warehouse so that a thief has nothing to steal. Merchants use only the token to retrieve, access, or maintain their customers’ credit card information. Meanwhile, their customers’ real card data is stored at a highly secure, offsite location.
Removing confidential customer credit card data from their internal networks is one of the biggest reasons why more companies are relying on tokenization. All merchants who accept, transmit, process, or store credit card data online, in a store, by phone, or by mail must certify each year that their IT security and processes comply with 12 rigorous Payment Card Industry Card Data Security Standard (PCI DSS) requirements.
Tribute, Inc. has partnered with 3Delta Systems to offer customers a secure payment processing solution and PCI compliance. To read more about the benefits of tokenization, click here. To read how to develop requirements for a Card Processing RFP, click here. To learn more about 3Delta Systems’ secure payment processing solutions, visit www.3dsi.com or check them out at our user’s group meeting, TribNet, in June.