The Rippleshot Data Breach Blog

Encryption vs Tokenization: What's the Difference?

Written by Marci McCalmon | Feb 24, 2016 7:16:36 PM

For thousands of years, humans have created secret codes to protect important information from others. Military secrets, formulas to create goods like silk, and personal information are seen throughout history as being masked to communicate so unintended recipients could not read the message.  There are two main ways to communicate information in secret; tokenization and encryption. The terms tokenization and encryption are often interchanged, yet they actually have very specific definitions. Let’s dig in deeper to find out more about the differences between the two.

Encryption

Encryption uses ciphertext to create a complex cipher for the information being transmitted. The Germans used an Enigma machine, as featured in the 2014 movie “The Imitation Game” to send encrypted messages for military gain. This particular type of encryption was letter substitution. The letter substitution was incredibly complex and could only be translated by the Enigma machine. Only the intended party, or a party that has figured out the cipher, like the English did in 1939, can read the data being translated because they have the key to the cipher.

In recent years, encryption has become the method of choice for protecting our data over the internet. For example, the SSL certificate is seen on most e-commerce sites to provide consumers with an understanding of the level of encryption our credit card information will receive as it is transmitted over the web. In other words, when we buy something over the internet, the ecommerce website encrypts our credit card information so it is more difficult for hackers to steal our credit card number when it is transmitted online. The SSL is not a perfect solution, but it is one of the most broadly used and trusted forms of encryption used today.

Tokenization

Tokenization, on the other hand, doesn’t use a cipher or a key. Tokenization substitutes the sensitive elements in a data set with a token that means nothing at all.  That token is then used for the purpose of whatever is needed to be done with that data. After it is back in its secure location, the token is put back into the tokenization system to reverse it back to its original form. As a very basic, yet prevalent example, think about a casino chip. That is a tokenized version of currency. You buy the chip using currency, then as a token it doesn’t provide any other value than at the casino. Once you are ready to cash out, the chip is then transferred back into currency.

Tokenization is often used to mask payment card numbers and banking account numbers. In this example, the payment processor or financial institution creates a randomly generated set of numbers for each account and only they have the ability to reverse the tokenization process within their secure vault.

As technology improves, the hackers also become more sophisticated with their methodology to break ciphers and intercept sensitive information. It is critical that financial institutions continue to evolve their preventative measures to protect private consumer information.

At Rippleshot, we do not carry any personally identifiable information (PII), primary account numbers (PAN), on the payment transactions we monitor and analyze. To do this, we use tokenized data. We have found for this to be the most secure way for our partners to provide us with valuable information without putting them or their customers at risk.  

To learn more about Rippleshot's aforementioned fraud detection and analytics product, Sonar, click here.