The holidays are here, and that means two things: a boost in mobile sales and (ideally) a boost in cybersecurity. Earlier we talked about beefing up your security controls to protect those customers who shop from their smartphones; today we’re going to look at new mobile payment techniques and how they offer multiple layers of security through tokenization.
This has been especially visible in new mobile payment offerings such as Google Wallet, PayPal and Apple Pay which turn smartphones into payment tools. By opting for tokenization, and often pairing it with encryption and biometric security, innovative companies are finding ways to reduce their compliance scope, nullify the damage of a breach and protect data with unprecedented effectiveness.
Take a look at Apple Pay, which uses an onboard Security Enclave and an array of hardware security modules (HSM) to protect and manage digital keys for authentication and cryptoprocessing. The Secure Enclave chip on smartphones acts as a co-processor with an encrypted memory for security information and key storage, which offers more protection than using a password. In many ways, it’s also safer than encryption. Why? Simply put, keys can be stolen and encryption codes can be cracked. Once that happens, the encryption protecting the real data is no longer effective.
Tokenization, on the other hand, keeps you protected even in the face of a breach – because the only things hackers steal are meaningless numbers. The true data is swapped out with mapped random data which can’t be decrypted. Only the lookup table can connect the token with the original actual data, which stays safely in an offsite protected platform.
If implemented properly, tokenization keeps the regulated data out of your environment. Some parts of your network can stay out of scope for PCI compliance. And because tokens resemble the original data in terms of type and length, they can travel smoothly in and out of most applications, databases and systems.
Let me be clear: encryption can still offer significant benefits. From meeting compliance standards to protecting data, encryption is an indispensable component of any security program. But when you look at the differences between encryption and tokenization in an attack, it’s hard to miss the obvious advantages of using tokens. Here’s what I mean.
Let’s say that hackers capture your encrypted data. If they manage to access your encryption keys or, given the time, crack your encryption key, they’ve got full access to the sensitive data. But if those hackers invaded a tokenized system, they’ll only make off with random data that – unlike a mathematical formula – can’t be decrypted. The breach damage will be practically nonexistent. Why? Because no real data was stolen, there won’t be any PCI fines or related costs. Even better, your brand will be spared the loss of customer trust.
While tokenization has been around for a while, organizations are just beginning to fuse it with encryption and biometrics in innovative mobile solutions. As we close out a year of seemingly nonstop breaches, it’s apparent that more and more businesses are getting serious about security – and more customers are favoring the businesses that do so. Given its effectiveness when it comes to preventing data theft and loss, tokenization is definitely a powerful tool in the war against cybercrime.