Prime Factors Releases Free Educational White Paper on Tokenization

August 17, 2011

Tools

Independent research provides IT with critical guidance on use of encryption vs. tokenization

EUGENE, Ore.--(BUSINESS WIRE)-- Prime Factors announces the availability of a free educational white paper on the hot topic of tokenization for data protection. Prime Factors sponsored this research paper—independently written by data security analyst firm Securosis—to help IT departments know when to use tokenization and when to use encryption. Titled “Tokenization vs. Encryption: Options for Compliance,” it is available to download on the Prime Factors website.

The white paper was commissioned in conjunction with the recent launch of a tokenization module for EncryptRIGHT®, Prime Factors’ data encryption and key management software.

“Our customers have many questions about tokenization, and we feel this paper will help them understand how tokenization can solve compliance problems,” said Patrick Riley, president of Prime Factors.

White paper author and tokenization expert Adrian Lane does not endorse specifics products, but is an advocate of the technology, saying “Personally Identifiable Information (PII) remains a huge potential market for off-the-shelf tokenization products.”

Lane’s research evaluates which technology is best suited for three types of data – PII, payments and Personal Health Information (PHI). It says that tokenization is well-suited to protect payment data, hasn’t crossed the chasm for PII, and just doesn’t work for PHI.

“Tokenization is an important security tool, with cost and security advantages over encryption in select use cases,” concludes Lane. “Today tokenization is used almost exclusively for payment card security.”

Lane is seeing early adoption of tokenization for personal and health care information replacement, but both use cases have hurdles to overcome. Securosis research indicates that the adoption trend will continue as the same tangible benefits are possible.

Highlights from the white paper:

There’s a common misconception that tokenization and format preserving tokens are the same thing.
If credit card data is replaced with tokens, almost half the security checks no longer apply, taking them out of scope for a PCI audit.
Tokenization of payment data is a proven model with thousands of users.
Most companies don’t have strong motivation to protect personal information (PII) such as your social security number. If it’s lost or stolen, you need to clean up the mess.
Encryption is well-suited for protecting PII. Tokenization doesn’t work as well.
Tokenization doesn’t work for PHI because it’s a many-to-many problem: many pieces of data bundled in different ways for different audiences. “The problem is knowing which data to tokenize for any given audience, and maintaining tokens for each use case,” Lane writes, and concludes that encryption works better for PHI.

About Prime Factors

Prime Factors has developed data security software since 1981. Offerings include the Bank Card Security System (BCSS), Psypher Security Suite and EncryptRIGHT, which provides a better way to achieve PCI compliance with encryption or tokenization. For more information go to http://www.primefactors.com/products/EncryptRight/index.html.