Tokenization is another technology you may be hearing more about. It is a more secure method of storing credit card numbers.
PCI-compliant systems are not allowed to store or transmit actual credit card numbers. These numbers have to be disguised somehow. The most common method of disguising credit card numbers is to encrypt them, but tokenizing them is even better.
Whereas encryption applies a mathematical formula to the original card number to get the encrypted card number, a token is a randomly generated number that points to the storage location of the card number instead of the card number itself. Ideally, that storage location would be a secure data vault managed by the credit card processor, the gateway provider or the point-of-sale provider. Since a mathematical formula is used to encrypt credit cards, it is theoretically possible that you could crack the encryption code if you could figure out the formula. Tokens are safer because there is no way to tie the token back to the original card number unless you have access to both the location that has the card number and the software that ties the card number to the token.
This technology is definitely an improvement over encryption, but most of the recent data breaches have not been caused by cracked encryption codes. It is much easier for hackers to install malware to catch card numbers before they get to the point of encryption or tokenization. I'll write about how to prevent that next week.
--Lynda
PCI-compliant systems are not allowed to store or transmit actual credit card numbers. These numbers have to be disguised somehow. The most common method of disguising credit card numbers is to encrypt them, but tokenizing them is even better.
Whereas encryption applies a mathematical formula to the original card number to get the encrypted card number, a token is a randomly generated number that points to the storage location of the card number instead of the card number itself. Ideally, that storage location would be a secure data vault managed by the credit card processor, the gateway provider or the point-of-sale provider. Since a mathematical formula is used to encrypt credit cards, it is theoretically possible that you could crack the encryption code if you could figure out the formula. Tokens are safer because there is no way to tie the token back to the original card number unless you have access to both the location that has the card number and the software that ties the card number to the token.
This technology is definitely an improvement over encryption, but most of the recent data breaches have not been caused by cracked encryption codes. It is much easier for hackers to install malware to catch card numbers before they get to the point of encryption or tokenization. I'll write about how to prevent that next week.
--Lynda