Tokenization vs. encryption in online payment security

Online transactions have become an important part of today’s shopping experience, with over one-third of revenue now stemming from eCommerce¹ for many businesses. As online payment processing continues to grow, so do the risks of unauthorised access to sensitive payment data and card fraud, making the protection of customer data a priority.

To lower these risks, merchants should ensure their payments are processed using security measures such as tokenization and encryption. While both measures help keep sensitive information safe, ‌they work in different ways.

What is tokenization?

Payment tokenization is a process that replaces personal payment information (like credit card numbers) with a unique identifier called a token. This can be used during transactions without revealing the actual data.

A token is a random hexadecimal string (sequences of characters using the numbers 0–9 and letters A–F) of alphanumeric (letters and numbers) characters with no meaning. So, a token is useless to anyone who might intercept it. The token is used in place of the actual sensitive data, which is stored safely in a secure vault.

Tokenization is commonly used to protect a customer’s information when they save payment details with a merchant for recurring payments or for one-click checkout.

Many merchants prefer to use payment processors for tokenization instead of handling it themselves. Card schemes like Visa and Mastercard have introduced network tokenization (NT), which creates tokens specific to the merchants being shopped with. This choice helps you avoid the responsibility of managing and securing sensitive payment information, lowering your risk and compliance burden.

If you decide to tokenize data using your own resources, you must ensure your system is secure and meets all the necessary regulations and standards, like the Payment Card Industry Data Security Standard (PCI DSS).

How tokenization works

When a customer saves their payment information on a merchant’s platform, the payment processor or a tokenization service provider generates a token.

Tokenization works by storing the original data in a highly secure token vault while the token is used in its place for future transactions. This way, even if a token is intercepted, the card information remains safe.

When a transaction is processed, the token is sent to the payment processor, who maps it back to the original credit card information for verification.

3 benefits of tokenization for online payments

Tokenization offers several benefits for online payments. It reduces the risk of data breaches, creates a smoother checkout process, and simplifies compliance.

• Reduces the risk of data breaches: By replacing sensitive card data with unique tokens, tokenization reduces the risk of data breaches. Even if a token is intercepted, it can't be used to make unauthorised transactions.

• Creates a smoother checkout process: Allowing customers to securely store their payment information makes the checkout process faster and easier.

• Simplifies compliance: Tokenization makes it easier to meet PCI DSS compliance and other international data protection regulations by removing the need to store or send sensitive data.

What is encryption?

Encryption is a security method that converts plaintext data like a credit card number into unreadable data, also known as ciphertext. The ciphertext can only be deciphered with a specific key. This process ensures that only authorised individuals can access the original data.

While you can set up data encryption on your own if you have the right skills in-house, it can be complicated and require a lot of resources. A reliable payment processor or payment service provider (PSP) often takes care of many of these security aspects for you. They use strong encryption methods and secure communication protocols, like Hypertext Transfer Protocol (HTTPS) or Secure Sockets Layer/Transport Layer Security (SSL/TLS), to protect card data as it travels.

How encryption works

Encryption works by using a special mathematical algorithm that turns the original, readable data into a string of jumbled, unreadable characters. The encryption process depends on a key, which is like a secret password that determines how the information is transformed. In payment processing, the encrypted data must be decrypted with the correct decryption key after it’s transmitted, otherwise the payment can't be completed.

The encryption process can vary slightly depending on if it’s encrypting data in transit, at rest, or end-to-end.

• Encryption in transit: This process works by securing data as it moves between the customer’s device and your platform. When a customer enters their payment details into your platform, the data is immediately encrypted using algorithms like AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman). This encrypted data is then transmitted over secure channels, like HTTPS (which uses SSL/TLS to establish a secure connection). To decrypt this data and process the payment, your server uses the corresponding decryption key.

• Encryption at rest: Once the customer’s payment information reaches your platform, it's often stored in a secure database. To prevent unauthorised access, the data is encrypted before it’s stored. Common encryption methods for data at rest include AES and other symmetric encryption algorithms, which use the same key for both encryption and decryption. Key Management Services (KMS) often manage the encryption key for data at rest.

• End-to-end encryption: This process ensures the payment data is encrypted from the moment it's entered by the customer until it reaches your payment processor. End-to-end encryption uses a combination of public and private keys – the public key is used to encrypt the data and the private key, which is only accessible from the recipient’s device, is used to decrypt it.

3 benefits of encryption for online payments

Encryption offers several benefits for online payments. It supports secure data transmission, detects data tampering, and improves compliance.

• Supports secure data transmission: Encryption helps protect data from unauthorised access when it’s sent over the internet, giving customers confidence their information is safe. This not only protects their data but also builds trust, encouraging more customers to complete their online transactions.

• Detects data tampering: Encryption often includes features that can spot if someone tries to change the data. If a bad actor tries to access and modify encrypted data, the system will catch it and send an alert for review.

• Improves compliance: Any merchant that accepts, stores, or processes card information is required to use data encryption for PCI DSS compliance. Encryption also helps improve data security for other regulations like the European Union’s General Data Protection Regulation (GDPR).

Differences between tokenization vs. encryption

Tokenization and encryption are both important methods for securing sensitive data during payment processing, but they have distinct differences.

How tokenization and encryption work together to improve payment security

When it comes to online payments, using both tokenization and encryption can help create a strong defence against security risks.

Payment processors are required to have robust encryption features built into their systems to comply with PCI DSS regulations. While PCI DSS doesn't explicitly require tokenization, it's widely adopted by PSPs, like Airwallex, as a best practice to further improve payment security.

Airwallex’s approach to securing online payments

Most businesses wait until after a data breach happens to prioritise payment security. This reactive approach can lead to significant financial losses, reputational damage, and even legal consequences. All of this can be avoided when the right security measures are in place. That's why partnering with a PSP who takes a best-in-class approach to payment security is important.

At Airwallex, security is the foundation of what we do, which is why we’re trusted by 150,000+ businesses to process over US$100 billion in global transactions each year.

We take a multi-layered approach to the security and compliance of online payments, which includes 24/7 security control monitoring, encryption, and tokenization. 

By making security a top priority, we not only ensure the integrity and safety of your online payments, but also help you build trust with your customers as you grow your business.

Sources:

1. McKinsey & Company Global B2B Pulse Survey, 2024