If your business accepts credit cards, you will likely need to store credit card numbers for the convenience of your customers performing repeat transactions. However, choosing the right security method is a daunting task with its technological jargon and various available options. PCI compliance guidelines do help somewhat in navigating the process, but understanding what they’re asking for and why is essential in making the right decision.
WHAT IS TOKENIZATION?
Tokenization is the substitution of confidential data with a randomly generated symbol, or token, that has no meaning or value. It is typically used for static data like credit cards or social security numbers, and is a strong candidate for small databases that don’t require sending and receiving data. However, once your business scales and the amount of information you must protect grows, tokenization alone isn’t your best option.
WHAT IS ENCRYPTION?
Encryption is the transformation of information or data into an unreadable code to allow authorized parties to view and prevent unauthorized intruders from viewing. It is best for businesses with larger databases and third parties because it uses an encryption key that keeps the information decipherable only to the keyholders.
To protect credit card data and become PCI compliant, numbers must be properly encrypted. There are two ways to encrypt data: end‑to‑end encryption and point‑to‑point encryption.
END-TO-END VS. POINT-TO-POINT
End-to-end encryption, or E2EE, encrypts data from one end to the other. Both parties (for example, your business and your customer) are the only owners of the keys able to decipher the encrypted information, similar how two friends may make up a secret language that only they understand and have a “language dictionary” for.
Since there are only two parties that hold the keys that presumably have a high level of trust in each other, there is less of a chance that another party decrypting the information. However, if either key (i.e. language dictionary) were to get stolen and fall into the wrong hands, the thief would be able to use it to decrypt the information. If the key is stolen on the business’s side, you would be held responsible.
On the other hand, Point-to-point encryption, or P2PE, is a subset of E2EE. When a card is used through a P2PE solution, the numbers are immediately encrypted at the first point of interaction. The new encrypted code is then sent to a secure vault to be decrypted back to the original numbers, then sent to the applicable bank to confirm.
Instead of allowing the business to hold an encryption key, it is a third party P2PE provider that holds the keys. This puts the responsibility to manage and protect credit card data on the provider the moment a card is used, which is more difficult to steal and takes the burden off the business’s shoulders, allowing you to take a more hands-off approach to security while knowing that you are in good hands. The customer is essentially giving your business a sealed envelope to send to a trained professional you trust to handle. Meanwhile, the business is able to focus on the product rather than guarding and managing secret codes.
The rub is that once you’ve decided on a provider, it isn’t easy to change as most providers only offer one P2PE solution. Because changing equipment to support a different provider can become expensive, you’ll want to weigh your options wisely and choose the solution that’s best for you.