Tokenization vs Encryption
The proliferation of large retail outlets now painting the Jamaican landscape, with the accompanying massive use of e-commerce, place increasing responsibilities on our financial industry, and indeed all consumers, to keep abreast with international trends in keeping our data safe from fraudsters. We cannot expect to escape the international trend of increasing frequency and impact of cyber-attacks on our private sector and government networks, which have increased dramatically in the past decade and are expected to continue to grow.
On February 15, the Economist magazine featured the Nilson Report that revealed that total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15 per cent from the prior year.
Although fraud examiners and forensic accountants have long proselytised the importance (and cost-effectiveness) of prevention in data security methodologies, significant data breaches since late 2013 at large US retailers have further highlighted the threats. Giant corporations such as Albertson's, Target, Michaels, Neiman Marcus , Sally Beauty, P.F. Chang's and SuperValu have been forced to take data security even more seriously than before. The Minneapolis-based retailer Target, for example, reportedly incurred net expenses of $110 million from the well-publicised data breach, while in a recent SEC filing, Home Depot stated that a recent data breach that exposed 56 million credit cards and 53 million email addresses cost the company $43 million in the third quarter of 2014 alone.
The debate of Encryption versus Tokenization has intensified and we should acquaint ourselves with the pros and cons, using our North American neighbour's experiences as a useful guide. The concept of Encryption is fairly well known and in general involves the conversion of data into a form (called cipher text) that cannot be easily understood by unauthorised persons. Modern encryption algorithms play a vital role in the security assurance of IT systems and communications as they can provide not only confidentiality, but also the following key elements of security such as authentication (verifying the origin of a message); integrity (proof that the contents of a message have not been changed since it was sent); and non-repudiation (sender of a message cannot deny sending the message).
The term "encryption" applies to the use of cryptographic algorithms to render data unreadable unless the user possesses the appropriate cryptographic 'keys' to decrypt the data. The cryptographic keys must be treated with the same care as the data, as a compromise of the keys will result in a compromise of the encrypted data. Companies must ensure that the encryption method selected is of sufficient strength. Increasing computer power and new cryptologic research will require additional encryption strength over time.
Tokenization is also a form of cryptography. In practice, it approaches security from a completely different angle and secure specific data that is sensitive by replacing it with a non-sensitive and nondescript value set. Typically, the actual sensitive data is stored locally in a protected location or at a third-party service provider and "Tokens" are used to prevent unauthorised access to personal information such as credit card numbers, Social Security numbers, financial transactions, medical records, criminal records, driver and vehicle information, and even voter records.
With this process, a token is "generated" in a variety of different ways either to match the format of the original data it is hiding or to generate an entirely arbitrary set of values that are then mapped back to the sensitive information. Business persons are particularly impressed with this cost effective way to secure data without a lot of overhead, since only the sensitive data of the entire package is "tokenized".
The journal Computerworld identified a group representing 22 of the world's largest banks that are pushing for broad adoption of tokenization. If we choose to emulate these enlightened corporations, however, let us ensure that here in Jamaica we are cognisant of, and comply with, an appropriate regulatory standard such as The Payment Card Industry Data Security Standard (PCI DSS), which is a proprietary information security standard for organisations that handle branded credit cards from the major card brands, including Visa, MasterCard, American Express, Discover, and JCB.
In deciding which is best for us here in Jamaica, identifying what data needs to be secure, and how the data will be used, plus the business processes being implemented, may all determine what is best for us. It may also not be necessary for us to choose one technology over the other, but instead adopting a hybrid approach based on our indigenous needs and challenges. What we cannot do, however, is pay tokenism to our data security threats.