BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

Tokenization Vs. End-to-End Encryption: Experts Weigh in

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Pros and Cons of the Emerging Technologies Eyed to Improve Data Security

October 19, 2009 - Linda McGlasson, Managing Editor

Save

Digg

Delicious

Please login or register to save this article.

Tokenization or end to end encryption - which solution will win the hearts of data protectors in the race to secure data?

A recent study conducted by PriceWaterhouseCoopers on behalf of the Payment Card Industry Security Standards Council shows that end to end encryption and tokenization are the top choices for companies seeking to employ new emerging technologies to protect payment card and other critical data. And both approaches have their public proponents, including Heartland Payment Systems (HPY) CEO Robert Carr, who's been encryption's most vocal supporter in the wake of his organization's historic breach.

But what are the pros and cons of each approach? We turned to a panel of information security experts for their analyses of tokenization vs. end to end encryption.

Defining the Solutions
A quick look at the essence of these two solutions:

Tokenization replaces sensitive card data information with unique id symbols that keep all the essential data, without compromising its security. This approach has become popular as a way to increase security of credit card and e-commerce transactions, while minimizing the cost and complexity of industry regulations and standards - especially the Payment Card Industry Data Security Standard (PCI).

End to end encryption, also defined by Visa as data field encryption, is continuous protection of the confidentiality and integrity of transmitted data by encrypting it at the origin, then decrypting at its destination. The encrypted data travels safely through vulnerable channels such as public networks to its recipient, where it can be decrypted. One example is a virtual private network (VPN) that uses end to end encryption.

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

The question for many organizations is not either/or, but rather which approach best fits into the organization's existing security architecture?

Pros and Cons
Size is a factor for organizations weighing tokenization and end to end encryption, says Dave Shackleford, former chief security strategist at EMC, and now principal at Blue Heron Group. "I would probably choose tokenization for smaller organizations, but larger ones will likely benefit more in the long run from looking to implement robust encryption practices and technologies," Shackleford says. Tokenization may not encompass all the data that needs to be protected by larger organizations, he adds.

Anton Chuvakin¸ author of the books "Security Warrior" and "PCI Compliance," says he would choose tokenization over end to end encryption any day. "I just don't believe that anybody can roll out end to end encryption and have it be usable and secure at the same time," Chuvakin says.

Chuvakin is concerned about recent breaches that indicate "in-application" sniffer malware might have been in use. Such malware will grab the data from memory after decryption, he says, completely defeating an end to end encryption solution such as Heartland's E3. "Admittedly, getting such malware on the processing server is very hard, but such a scenario still worries me," Chuvakin says.

Both end to end encryption and tokenization are about scope reduction, and will "most likely fall under the purview of the Payment Card Industry Security Standards Council Scoping Special Interest Group," says David Taylor, founder of PCI KnowledgeBase and a member of the group he referenced. "Both end to end encryption and tokenization are based on the whole idea that not actually having credit card data available on 'as many' or 'any' systems will move those systems out of scope," Taylor says. However, he notes, there are concerns on several fronts, which the Visa best practices thus far do not address.

Among the concerns that experts weigh:

Tokenization Pros:

The data is not stored or sent in its "real" form at all (possibly on the first initial transaction but not afterward).

Easier to establish and maintain than encryption

Tokenization Cons:

May not address all data in use by larger organizations;

May not work with applications and processing technologies;

End to end encryption Pros:

Data is secured all the way from each endpoint to the processing destination;

May integrate better with existing technology.

End to end encryption Cons:

May introduce more overhead in processing;

Key management and other encryption processes may be hard to manage.

1 | 2

View On 1 Page

Next Related Article:

Visa Announces New Data Encryption Practices

Topics of Interest

Incident Response

Achieving Rapid AIX Data Recovery for Credit Union Core Processing Applications
The Skinny on the Kneber Botnet

Office Comptroller of Currency

OCC Bulletin 2008-16: A Blueprint for Compliance
Application Security Survey Results: Executive Summary

National Credit Union Admin.

Identity Theft Red Flags Rule Survey: Executive Summary
NCUA Board Member Gigi Hyland on Careers in Credit Union Leadership

FACTA

Identity Theft Red Flags Rule Compliance Survival Guide
ID Theft Red Flags Examinations: What to Expect?

Physical Security

Redspin Security Report: Top 10 Network Security Threats of 2008 - Q2 Update
Physical Asset Management & IT Security

NIST

Iris Recognition: NIST Computer Scientist Patrick Grother
Guidelines for Secure Use of Social Media by Federal Departments and Agencies

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Testing Security Controls: Learn from the Experts
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Third Brigade, Inc.

Solutions For:

Data Privacy, Database Security, End-Point Security
RSA, The Security Division of EMC

Solutions For:

Anti-Phishing, Authentication, Network Security

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management