More and more cases of data breaches are being reported every year. About a year ago, a staggering 2.6 terabytes of data consisting of 11 million encrypted internal documents were leaked from a law firm, Mossack Fonseca, and passed on to a German newspaper. Another cyber attack, this one against Anthem, the second largest health insurer in the US, compromised millions of personal information including names, dates of birth, social security numbers, addresses, phone numbers, email addresses and employment information.
As technology advances ever onward, we can only expect more of these incidents as criminals and their tools get increasingly more sophisticated. The onus then is on the targeted institutions – banks, private corporations, healthcare and government offices – to take the necessary measures that will keep customer information safe, private and secure.
Tokenization vs Encryption: What are the differences?
Tokenization and encryption are two ways for securing information – both while being transmitted and while at rest. But they are not the same thing and are not interchangeable. Here’s why.
- uses ‘tokens’ to protect data
- tokens serve as references or placeholders for the original data
- uses a database, called a ‘token vault’ which stores the real data and the token
- if a token is intercepted, it cannot be used to guess the real values
- primary benefit is ease of use, because you don’t have to manage encryption keys
- uses ‘secret keys’ to protect data
- uses an algorithm to transform plain text information into a non-readable form called cipher text
- needs an encryption key to decrypt the information and return it to its original plain text form
- if a key is intercepted, it can be used to decrypt all of the data it was used to secure
- key advantage is its usefulness for encrypting unstructured data such as entire files
Whether your organization should opt for tokenization or encryption will depend on your own unique requirements. If you want to stay compliant while reducing your obligations under PCI DSS, you can opt to use tokenization. If you want scalability, and have to encrypt large volumes of data, then encryption is ideal since you only need a small encryption key. But regardless of which one you choose for protecting private information, both tokenization and encryption can help satisfy regulatory requirements imposed by PCI DSS, HIPAA-HITECH, GLBA, ITAR and the upcoming EU Data Protection Regulation.