This is page 2 of:
Are Tokenization And End-To-End Encryption Substitutes?
Tokenization can, therefore, take much of the system and network in your transaction flow (the first area I previously mentioned) out of scope, so long as you do not have the ability to decrypt the tokens. Additionally, you should be able to use the tokens in your post-transaction systems (the second area) if the tokens are the same size as a PAN, you can link them to the same card and cardholder, and your processor or acquirer can use them to process chargebacks and refunds without further involvement from you. What’s not to like?
If we consider end-to-end encryption, we see many of the same potential benefits. It is designed to take the systems and networks in the transaction flow out of scope, and it can do this very well when the encryption takes place at or close to the POS. In a properly configured implementation only your processor (clearly an independent entity) can decrypt the data, so the data should be out of your scope. Additionally, if your encryption vendor can create tokens for you and those tokens can be linked to an individual payment card (two big “ifs”), you may eventually be able to take your post-transaction systems out of scope, too.
Clearly, I am glossing over some details. But this column is not intended to be a master class on encryption and tokenization. I have met with several vendors and I am a fan of both technologies (and I think the Council will be, too). Either approach can reduce PCI scope for merchants when properly implemented. The NRF Expo floor had vendors, processors and acquirers promoting their tokenization or end-to-end encryption solutions, so you have options. And more announcements will be coming soon.
What surprises me a little is how many Level 1 and Level 2 merchant CIOs are still looking at both options. It seems to me that after doing some homework and listening to a few presentations by competing providers, merchants should be able to settle on the technology and implementation that best meets their particular business needs. You will always have risks: Your vendor might go broke or (heaven forbid) be compromised. The technology may lock you into one vendor, thereby making any change difficult. If you get your solution from your processor, you may have difficulty changing processors or acquirers. And, lastly, the PCI Council may surprise us all and come out with some very specific guidance that complicates things for early adopters.
Having said all that, it seems like it is time for merchants–retailers, hotels, restaurants, universities, everybody–to evaluate these technologies and move toward a commitment to one or the other if it fits their business needs. What do you think? Am I being overly simplistic in considering tokenization and end-to-end encryption as near substitutes? Is the continuing analysis due to budget constraints? Do you prefer a vendor or a processor solution? Do you think the PCI Council will relent and allow merchants to pursue internal tokenization/encryption solutions that reduce scope? I’d like to hear your thoughts. Either leave a comment or E-mail me at wconway@403labs.com.
-Marc
January 25th, 2010 at 4:15 pm
Walter, I think there’s a lot of misinformation out there and that’s the fundamental source of confusion. Many believe these are competing technologies and most vendor marketing reinforces that misconception. End to end protects card data at initial entry when the card is first swiped or keyed in. Tokenization then provides a mechanism for merchants to be able to perform future actions like recurring billing or an easier return process without storing the account number. An end to end encryption solution is complemented when it has built-in tokenization support. Without the tokenization, many business needs are not met. They’re complementary technologies, not competing.
January 30th, 2010 at 6:32 pm
Lucas,
Thanks for the comment and your insights. I’m doing some further research based on your comment and email responses I’ve received directly. Look for a follow-up piece soon.