In an article written by David Taylor, the founder of the PCI Knowledge Base, he discusses Tokenization vs. End-to-End Encryption. Here's an excerpt:
The hottest trends in payment security concern two technologies that go beyond PCI as the standards are currently written. These are tokenization and end-to-end (E2E) encryption.
E2E Encryption addresses a major insider threat today. For many companies, encryption is not centrally managed. It is a feature that is easily added to applications; it's built into operating systems, databases, POS devices and so on. Even within the cardholder environment, it's not uncommon to find a half dozen different implementations of encryption and multiple key management systems.
In this situation, card data may have to pass through multiple systems internally on the way to the acquiring bank or processor. The result is the dreaded "encrypt, decrypt, re-encrypt" scenario, which opens up holes to unauthorized insiders.
With E2E encryption a company encrypts the data at the entry point (the point of sale [POS], the e-commerce payment software and the call center software) and the data remains encrypted throughout the process of passing it to the acquirer. The card number is never stored unencrypted by the merchant.
The other key point of E2E is that some companies are focused on an enterprise view of end-to-end, rather than defining one of the endpoints as the acquirer. In addition, the policies for and the processing of chargebacks in some companies tends to mess up the end-to-end scenario.
Speaking of things that are no longer needed, there is a lot of discussion about tokenization solving all problems. Tokenization involves the replacement of credit card numbers (or other confidential data) by a surrogate number or "token" and then centralizing (or outsourcing) the card data to reduce (some say eliminate) insider threat.
Bottom line: Our research suggests that end-to-end encryption and tokenization will likely exist side-by-side in nearly all large and most midsize businesses for the next two to three years. Suggesting that one can take the place of the other does not take into account the reality of the large, multi-channel merchant or service provider. Continue Reading
0 comments