Encryption vs Tokenization – Key Differences, Advantages, & Use Cases Explained

Sekhar Sarukkai (Profile)
Friday, March 18th 2016

Unless you’re a cryptographer, you wouldn’t be blamed for conflating tokenization with encryption. Tokenization and encryption are both used to secure data when it’s being transmitted through the Internet or stored at rest in a hard drive or in the cloud.

For organizations, tokenization and encryption helps them to not only meet their data security policies, but they also help in ensuring that they’re compliant with industry regulations governing sensitive and private data security.

There are a lot of uses for encryption on the web. Regulations such as PCI DSS (which governs the payment card industry), HIPAA-HITECH (which regulates the healthcare industry), EU Data Protection Regulation, or FISMA (which regulates federal agencies) either require or encourage organizations to tokenize or encrypt customer data so they’re protected in case of a data breach.

While tokenization and encryption both effectively obfuscate sensitive data, they are not the same thing, and they are not substitutable. Each has its own strengths and weaknesses, and organizations should opt for one or the other based on their strengths and weakness to secure data under different circumstances.

In the case of the electronic payment industry, both method is typically recommended and used to secure data end-to-end.

Encryption Explained

Go check your Facebook account. Notice the ‘s’ in “https” that is at the start of the URL? That ‘s’ stands for secure, meaning that a method called SSL has been applied to it that encrypts all your data being uploaded to Facebook in transit.

Key features of encryption:

  • Mathematically transforms plain text into cipher text using an encryption
  • Scales to large data volumes with just the use of a small encryption key to decrypt data
  • Used for structured fields (like those found in a CRM) and unstructured data (such as a word doc found in dropbox)
  • Data is encrypted before it leaves the device
  • Requires the recipient to have the encryption key in order to decrypt the data upon receipt

There is two primary ways data is encrypted: symmetric key and asymmetric key encryption. In symmetric key encryption, one key is used to both encrypt and decrypt the information. Symmetric key encryption is akin to having a door with one key that both locks and unlocks it and only one person possesses that key. One of the weaknesses of this approach is that if the key is stolen, it can be used to unlock, or decrypt, all of the data it was used to secure.

For this reason, asymmetric key encryption was developed to allow multiple parties to exchange encrypted data without managing the same encryption key.

In asymmetric key encryption (also called public-key encryption), two different keys are used for the encryption and decryption processes. In this method, there is a private key and there is a public key. The public key can only be used to lock (or encrypt) data. Therefore it can be freely distributed. Businesses often use public keys to encrypt credit card payment data before sending the transaction information to a payment processing company.  In this instance, the payment processing company would need to have the private key to decrypt the data in order to process the payment.