According to PCI standards, credit card numbers are not allowed to be stored in a company’s POS terminal or in their databases. Therefore, in order to reach PCI Compliance, encryption or tokenization of sensitive data must be utilized. Companies who wish to process credit card transactions must either install an end-to-end encryption system or outsource payment processing to a service provider that uses tokenization to encrypt sensitive data.
What is the difference between encryption and tokenization?
Encryption has been around for years. It has been used by the military and the government to secure sensitive data. With credit card processing, encryption works by transforming the sensitive data using a mathematical equation. The results are an encrypted code using numbers, letters and symbols that is usually longer than the original length of the data. This encrypted data is then stored internally on the merchant’s database. To restore the data to its original form, the mathematical equation must be reversed.
Tokenization is a newer technology. With credit card processing, sensitive data is replaced with a customizable “token” that can be made to mirror the format of the original data. The token is unrelated and non-descriptive of the original data. Further with credit card processing, tokenization requires the use of a gateway, which is where the encrypted data is stored. This means added security for your business.
Which method is better?
With tokenization, the sensitive data is only needed in its true form when a payment needs to be processed. Otherwise, the token can be stored on your server and used for any necessary internal processes without any concern for fraud. As stated, the only time the token will need to be converted back to its original form is to complete a transaction, which would be done on an external server. This alleviates your business from any risk of fraudulent issues.
The process of encryption is easier to hack. First, since the encrypted data is stored on an internal database, any fraudulent issues would be your organization’s responsibility. Secondly, encrypted data is easier to convert back to its original form. Hackers just need to figure out the algorithm used during the encryption process and then reverse that to return the data to its original form.
In conclusion, when it comes to credit card processing, tokenization is the better choice. For starters, simply using tokenization removes nearly half of the security requirements that are part of a PCI audit. On top of that, tokens cannot be cracked as they are just placeholders unrelated to the original data. Choosing to use encryption, on the other hand, involves a more complex process and the possibility that sensitive data could be compromised.
For a secure