Tokenization Or Encryption? Making The Right Choice For Your Customers

Tokenization has been lauded as a superior way to address online fraud, one that could enable future innovators to bring unparalleled security to the payments ecosystem. Still, despite its promise, confusion about tokenization remains. To bring clarity to this conversation, we spoke with Alex Pezold, CEO of TokenEx, in an exclusive interview that answers common questions, and looks forward to forecast the changes a tokenization standard will bring.

American Express, MasterCard and Visa turned heads on October 2 when they teamed up to announce support for a new global tokenization standard, and to some observers, the development was worth a few hardy hoorays.

The news was seen as a validation of the success tokenization has brought to enterprise-level and small businesses that have embraced tokenization as a way to rid themselves of the risk, cost and compliance burden that had been inherent in other security options. Further, it demonstrated a willingness by major networks to address fraud, embrace the cloud and turn away from hardware solutions.

Still as even those excelling in the space acknowledge, tokenization can still be a confusing subject, and the differences between tokenization and encryption may be, due to the efforts of industry players, purposely unclear.

Alex Pezold, CEO and co-founder of TokenEx, has seen the industry evolve firsthand during his three-year tenure as the head of the Oklahoma-based company. And it is this vantage point that has given Pezold, and TokenEx, unique insight into how tokenization is working on both a macro and micro scale.

“It has been interesting to watch from the sidelines over the course of time as the PCI Security Standards Council have finally adopted and endorsed tokenization as a solution for reducing risk and compliance obligations for merchants and service providers alike,” Pezold told PYMNTS.com.

For more on tokenization and what those in the payments space should know about its capabilities, PYMNTS.com spoke with Pezold in an exclusive interview.

PYMNTS.com: Alex, our audience might already be familiar with TokenEx, but you are undeniably in a unique position to describe the company you run. To start us off, please give us the elevator pitch. What is Tokenex?

Alex Pezold: TokenEx is a data security platform that offers flexibility into how its customers secure and access their sensitive data. By offering multiple payment acceptance channels (such as eCommerce and store front), customizable token generation and the ability to work with almost any processor or gateway, TokenEx enables its customers to focus on doing business while displacing the risk and compliance burdens commonly associated with handling sensitive data.

Independent of our data security platform, TokenEx brings a considerable mindshare to the table when it comes to data security, system integration and PCI Compliance. The company was founded by two data security experts who are both former PCI Qualified Security Assessors, and the company has the ability to solve the complex problem of integrating tokenization solutions into customer environments.

Tokenization is a popular topic in the payments space today, but one that I think confuses a lot of people. Since you are an expert in this space, please help us understand some of the differences and similarities between tokenization and encryption?

Tokenization and encryption are two fundamentally different technologies – something some people in the industry don’t want customers to understand.

Tokenization is a technology that creates an index, or token, to a specific piece of data such as a credit card number. The original data value – in this case the card number – is pushed through a mathematically irreversible process that produces a “token.” “Mathematically irreversible” is a fancy way of saying that there is no relationship between the token and the original data – it’s impossible to get back to the original value from the token alone.

This is different from encryption, where there is a relationship between the encrypted data and the original data. With encryption, in order to get back to the original data, you must provide the appropriate encryption key. Having access to that key – either directly or indirectly depending on the system they employ – is where many organizations run into issues, both from a compliance standpoint and from the risk of that data being compromised. Encryption can also be “brute-forced,” where the data is exposed from a persistent attack to find the proper key. Advanced encryption techniques mitigate this risk, but it still exists when organizations don’t properly understand or implement an encryption program.

Tokenization cannot be reversed or broken – it relies on a party to reconcile a token with the original data. Because the organization cannot directly retrieve that sensitive data, tokenization reduces compliance obligation and risk. The tokenization provider can also implement additional safeguards around access to that sensitive data that could not be accomplished otherwise. For TokenEx, this means additional authorization and access controls as well as a direct route to many gateways and processors. These safeguards mean the organization doesn’t ever need to go back to the original card number.

To put it plainly – and this conclusion is supported by industry compliance and regulatory bodies like the PCI Security Standards Council – encrypting sensitive data doesn’t mean the original obfuscated data isn’t present. It simply means that the risk of getting to that data is reduced. Using tokenization, on the other hand, means the original value in not present.

Please do not misunderstand TokenEx’s position. We believe encryption to be a fantastic technology when implemented correctly. TokenEx leverages encryption during transmission and with all of our data at rest. The challenge organizations have, and which is highlighted by standards like PCI, is how organizations implement and manage encryption. Tokenization providers like TokenEx take the burden of managing encryption off your hands, letting you focus on your business. With that being said, tokenization can also be misused or poorly implemented. Finding a trusted partner is critical to ensure your implementation reduces compliance and risk to your organization.

Recently Visa, Mastercard and AmEx broke news by announcing a new global standard to make consumers feel safer shopping online. What role does tokenization play here to ensure online merchant compliance and security?

Based on the literature we have read on this standard, tokenization is at the core of providing “simple” and “secure” payments as the card brands describe.

Tokenization will ensure merchant compliance and security by inserting tokens as far upstream in the payment acceptance channel as possible. In this case, tokens will be inserted within the mobile wallet application or eCommerce environment instead of using payment card numbers. By using tokens instead of payment card numbers, mobile applications and eCommerce sites will essentially be out of scope for PCI compliance because they’re not actually storing, processing, or transmitting payment card data. Furthermore, considering the token does not represent sensitive payment data, the possibility of fraud is reduced significantly if either the mobile device or the eCommerce site is breached.

It has been interesting to watch from the sidelines over the course of time as the PCI Security Standards Council have finally adopted and endorsed tokenization as a solution for reducing risk and compliance obligations for merchants and service providers alike.

Lastly, how is TokenEx’s security data different from others? What are the biggest values to your clients?

Probably the biggest value proposition TokenEx brings to the table for our customers, outside of risk and compliance avoidance, is flexibility. Our pricing structure, our tokenization and data vaulting services and our processor agnostic approach allows us to introduce flexibility into every aspect of our business model. Our goal is to ensure our solution wraps around our customers’ needs instead of asking them to augment their environment for us. I guess, to swim against the grain, TokenEx makes securing sensitive data easy on your business.

Key points:

  • Processor agnostic
  • Multiple payment acceptance channels
  • eCommerce to store front solution sets
  • Customized token formats to support business and system requirements
  • Knowledgeable staff to support goals of tokenization – reduce compliance obligations, reduce risk
  • Experienced project management team that has tokenized small ecommerce websites to multi-national organizations with multiple POIs and business processes.

 

 


 Alex Pezold, Co-Founder and CEO, TokenEx

Alex Pezold is a Co-Founder of TokenEx where he serves a leadership and business generation function. Prior to his current role at TokenEx, Alex served as a Director of Business Development and was a strategic advisor to CSOs and Executive Management surrounding Information Assurance, Information Security, and Compliance. A former Qualified Security Assessor (QSA) with the PCI Security Standards Council, Alex has developed a mindshare in the compliance and risk reduction arena. Alex is currently a CISSP, holds CNSS Certifications, and obtained his Masters of Science in Computer Science with emphasis in Information Security from the University of Tulsa in Tulsa, OK.