Snippet: There’s no denying that the evolution of computing power and technology, and the increasing digitization of almost everything, have made our lives much easier. On the flip side, however, these advances have increased the risk of private data interception and fraud.

There’s no denying that the evolution of computing power and technology, and the increasing digitization of almost everything, have made our lives much easier. On the flip side, however, these advances have increased the risk of private data interception and fraud. Hackers gaining access to confidential customer information is one of the most serious risks financial institutions (FIs) and other enterprises face. Enter encryption and tokenization: the batman and superman equivalent of cybercrime-fighting superheroes (or Castor and Pollux for you Classics majors out there).

Encryption and tokenization are two types of cryptography technologies we use to keep data safe. They are, however, quite distinct. Here’s how Techopedia tells the two apart:

  • Encryption: The process of using an algorithm to transform information to make it unreadable for unauthorized users.
  • Tokenization: The act of breaking up a sequence of strings into pieces such as words, keywords, phrases, symbols and other elements called tokens.

Each technology has its own strengths and can, depending on the circumstances, be used alone or to complement the other.

Encryption explained

The key difference between tokenization and encryption is that encryption is mathematically based. Think of it as a code, like those used during wartime, to send military messages. The process uses a cryptographic algorithm to scramble data so that it is unreadable to anyone without the correct decryption “key”.

“Encryption works. Properly implemented, strong crypto systems are one of the few things you can rely on.” – Edward Snowden

There are two main ways to encrypt data: symmetric key encryption and asymmetric key encryption. Symmetric key encryption uses one key to both encrypt and decrypt data, in the same way that you use one key to both lock and unlock the door to your house. The problem with this approach is that if a key is stolen, then all the information it was used to secure can be stolen and used.

This little problem led to the development of asymmetric encryption, where two keys are used: one to encrypt the information (the public key) and another to decrypt it (the private key). The public key can be freely distributed because it is only ever used to lock the data; not to unlock it. For example, a merchant will use an FI’s public key to encrypt payment data before sending it a transaction to be verified. When it receives the encrypted card data, the FI uses its private key to decrypt it. Entersekt uses asymmetric encryption to secure its out-of-band communication channel.

A problem with encryption is that it can change the appearance and size of the original data. This negatively impacts applications, communications protocols, and databases that rely on a set format or character limit. While there now are encryption schemes that preserve format (format-preserving encryption), they can still involve sacrificing some application functionality for stronger encryption.

Tokenization explained

Unlike encryption, tokenization is a non-mathematical way of protecting data. Simply put, tokenization is the process of substituting an important and sensitive piece of data with a non-sensitive equivalent – usually a randomly generated alphanumeric code. This replacement is the “token”.

One of the main advantages of tokenization is that tokens cannot be decrypted! This is because there is no mathematical relationship, or key, that links the original data and the token. Instead, tokenization uses a large database that link a token to its – often encrypted – related sensitive information. The only way to get the original information is to have access to the database, which is stored in a secured cloud token vault. Outside this vault, there is no way to connect the token to the original data. So, if a hacker does manage to infiltrate an organization’s systems, there is no useful information there to steal.

The first tokens issued were single-use tokens. As the name implies, these tokens can be used for only one transaction. However, there has been a shift towards multi-use tokens. There is no limit to the amount of time you can store these tokens, which means that they can be kept and used for multiple future transactions, through different payment channels.

Another great advantage of tokenization is that a token has a similar format to the original data – in size and type – meaning it does not have to be modified to be used with standard applications, communications channels, and databases. It “looks” and “acts” like the data it replaces. And because tokens can be created in any form, they can be used for almost any data type.

So how does it work?

In very basic terms, here’s how tokenization works when using a payment app:

  • You enter your credit card details – the sensitive data – into the app.
  • Immediately, the app sends the data to the tokenization server; it is not stored on the app or device.
  • The server generates the token, which is stored – usually in an encrypted form – with the original data in the token vault.
  • The server then sends the token to the app.
  • The app stores the token and uses it – not the original data – for all your transactions within that app.

The crux of the safety of tokenization is that the real data is never stored in an application, merchant system or bank; it is only ever stored within the secure vault. Access to the vault is highly restricted, which dramatically limits the risk of unauthorized access.

This may all seem too good to be true, and as with most things, it is. The main problem with tokenization is its technical scalability, which may be the reason for its slow uptake. However, advances in tech means we are beginning to see it used for much larger and more complex sets of data, such as medical and patient data.

Both encryption and tokenization are used today to protect data stored in cloud services or applications. Choosing which to use – encryption, tokenization, or a combination of both – will depend on the type of data to be secured and the regulatory requirements that need to be met.

Subscribe to our blog.

Alpa Somaiya


From science to health research to fintech, Alpa is a self-confessed jack-of-a-few trades. When not despairing about the use of the Oxford comma, she enthusiastically collates, translates and disseminates information for your reading pleasure, and with the hope that we all learn a little something along the way.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.