Are Tokenization And End-To-End Encryption Substitutes?

Written by Walter Conway
January 20th, 2010

A 403 Labs QSA, PCI Columnist Walt Conway has worked in payments and technology for more than 30 years, 10 of them with Visa.

If your goal is to limit your PCI scope, should you pursue tokenization or end-to-end encryption? Or should you do both? I find it interesting that many large (L1 and L2) merchants are actively pursuing both options, and I’m wondering if that really makes sense from either a PCI or an economic perspective.

Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.

Everybody wants to minimize their company’s PCI scope. When I look at scope issues, I generally classify systems into two broad areas. The first is the set of applications and network infrastructure in the payment transaction flow from the POS to the processor/acquirer and back. The second area of scope deals with post-transaction applications that use the data; for example, velocity checking/fraud systems, relationship management, delayed or split shipments, recurring payments, and chargeback and refund processing.

The best way to minimize PCI scope is to not store cardholder data (like the PAN) electronically–ideally, on any of your systems. Although I personally think this approach is possible, I understand that it is not always practical, given the post-transaction applications every retailer uses. Therefore, merchants are looking at a choice of tokenization or end-to-end encryption to get all that nasty cardholder data out of their PCI scope.

The first thing you need to understand is that you have to bring your checkbook. There is nothing too difficult about converting a PAN to a token–just replace the middle six digits with a sequence number, for example. Similarly, although it may take some work, you could encrypt your cardholder data using internal systems and processes. Unfortunately, the PCI Council effectively ruled out both options, saying that if merchants want to implement either of these technologies then they will have to go outside and buy them from a processor or a vendor.

The Council spelled out its reasoning in response to a question about when encrypted data could be considered out of scope: “However, encrypted data may be deemed out of scope if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it.” As I noted in an earlier StorefrontBacktalk column, the key question here is, what is an “entity?”

I don’t know the Council’s intent, but I can tell you that if “validated” means “validated by a QSA” then you can likely forget about the “entity” being a division or subsidiary of your company. To this QSA at least, if you want to use either tokenization or end-to-end encryption to reduce your scope then you are going to have to go to an outside, independent party—be it your acquirer or a vendor. It’s a bit like bringing your own popcorn to the movies; while it may make a lot of sense to you, it just isn’t allowed.

Let’s look first at tokenization, the process whereby, when properly implemented, the PAN may be rendered out of scope for PCI.


2 Comments | Read Are Tokenization And End-To-End Encryption Substitutes?

  1. Lucas Zaichkowsky Says:

    Walter, I think there’s a lot of misinformation out there and that’s the fundamental source of confusion. Many believe these are competing technologies and most vendor marketing reinforces that misconception. End to end protects card data at initial entry when the card is first swiped or keyed in. Tokenization then provides a mechanism for merchants to be able to perform future actions like recurring billing or an easier return process without storing the account number. An end to end encryption solution is complemented when it has built-in tokenization support. Without the tokenization, many business needs are not met. They’re complementary technologies, not competing.

  2. Walt Conway Says:

    Thanks for the comment and your insights. I’m doing some further research based on your comment and email responses I’ve received directly. Look for a follow-up piece soon.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.