White Paper: Tokenization vs. EncryptionBy Adrian Lane
We are relaunching one of our more popular white papers, Tokenization vs. Encryption: Options for Compliance. The paper was originally written to close some gaps in our existing tokenization research coverage and address common user questions. Specifically, how does tokenization differ from encryption, and how can I decide which to use? We believe tokenization is particularly important, for several reasons. First, in an evolving regulatory landscape, we need a critical examination of tokenization’s suitability for compliance. There are many possible applications of tokenization, and it’s simpler and easier to use than many other security tools. Second, we wanted to dispel the myth that tokenization is a replacement technology for encryption, when in fact it’s a complimentary solution that – in some cases – makes regulatory compliance easier. Finally, not all of the claimed use cases for tokenization are practical at this time.
These questions keep popping up, so we feel a relaunch is in order. This paper discusses the use of tokenization for payment data, personal information, and health records. The paper was written to address questions regarding the business applicability of tokenization, and therefore far less technical than most of our research papers. The content has been updated slightly to reflect some of the changes in the PCI Council’s stance on PCI and address some questions which arise when considering tokenization for PHI and PII. I hope you enjoy reading it as much as I enjoyed writing it.