If I'm asked the same question by different people at least 3 times in the space of a week, then it has got to be of use to someone if I write some words on exactly what the difference is between Tokenisation and Encryption in the context of the crazy complicated world of payments.
So stick with me, this is a 101, beginners, super simple, year 1 description of the concepts of payment tokenisation and encryption.
In the good 'ol' days', payment cards simply had payment details written on the bit of magnetic tape on the back of the card. In fact in the good old, old, old days, even the account balance was recorded here. It's not anymore, don't panic! Anyways, your average card magstripe contains the following data;
Which is brilliantly awesome if your the nefarious type looking to buy something on Amazon but not paying for it.
In simple terms in this line of data, known as the Track 2 data, you have recorded the Card Number, Expiry Date, Service Codes and often names and other details. More than enough data to cause havoc!
So obviously protecting this information is critical. It's basically free money for anyone who can get at it.
Stay calm, the payments industry is way ahead of this. It's all about protecting this information. It's about 'de-valuing' this data and making it much less attractive to any would be 'robbers'.
...hence we get to the concepts of Encryption and Tokenisation.
Two very different principles but both with the final aim of 'de-valuing' the card number.
If our said 'Robber' manages to get a Tokenised or Encrypted card number it is useless to them. You simply can't buy anything with this information. You can't make a purchase. The value is not recognised as a card number.
What is Encryption? - It's Scrambling Data
Here's the complicated answer.
Here's the simple answer;
"Scrambling the number up with another number" - Calculating an output value by using a different value and a mathematical equation. Think of it as locking a message in an box with a key.
Now, before I start getting bombarded with comments, this is a super simplified statement. The concept of encryption is plain brilliant, and if I was a better mathematician I could wax on about the genius of it, but again the point is that a second number is calculated or derived from the first number.
There is a mathematical link between the two.
Granted, it's a shockingly complicated mathematical link, and only if you've got literally Trillions of dollars and a couple of thousand years would you be able to work out the original number. So, it's a hugely robust and secure mechanism of protecting card data.
What is Tokenisation? - It's Representing Data
Here's the complicated answer;
Here's the simple answer;
"Representing a number with another number" - Linking two numbers together.
Think of it this way. You give me a Pineapple and in return, I give you an Apple. I then remember that I gave you an Apple for a Pineapple. Now whenever you say Apple what you really mean is Pineapple...
Tokenisation is about representing something with something else.
In the context of payments we 'Tokenise' the card number and represent the 'Clear' card number with another number. So whenever you or a customer send the token to me, we know that actually it's a card number and authorise a transaction with the card number.
The application of these concepts are profound for payments. We can now confidently handle these tokens, because we know they are meaningless for the purposes of the transaction. With everything tokenised we have effectively removed all clear card data. Which starts to negate the need for PCI-DSS compliance. PCI is a bit more complicated than this, but it does allow us to move a huge portion of the payments infrastructure out of scope which is brilliant as our project costs begin to drop significantly. PCI gets cheaper!
Further more, we now have a secure way of recognising our customer, wherever and whenever you shop. So it's not a million miles away to implement solutions that mean customers could shop online in the US, deliver to China and return to a store in London. We know who you are and how you paid.
Both Tokenisation and Encryption have applications far and wide in general data security. Both are brilliantly secure, but there are naturally Pro's and Con's with both concepts. Least of all the costs associated and the requirement to move data out to third parties.
However, in my opinion the benefits far far out way the risks and it's a worthy investment in your quest to secure and protect your customers data.
Russell leads the Savanti Ltd Payments team enabling payments for clients across the globe, having extensive knowledge and 'real-world' experience of tier 1, 2 and 3 merchants, as well as financial issuing and acquirer providers. Russell has successfully delivered strategic payments services to organisation including RS Components, Rabobank, SODEXO, Raphaels Bank, UK Fuels, Tesco Bank, Virgin Money and Travelex Financial Services.
Prior to joining the Savanti team, Russell lead one of Europe’s largest retail payments outsourcing programmes, enabling the UK’s largest grocery retailer to benefit from a significantly improved eCommerce and Store based payments infrastructure.