30 Jan 2020

30 Jan 2020

This year's #dataprivacyday presents an opportunity to talk about how tokenisation works for data security and sharing, in particular across organisational boundaries.

#dataprivacyday2020 is a timely reminder that we all need to care about how data is used in our organisation. For the banks and businesses we speak to, privacy is just one part of a larger conversation about data integrity, as it extends not just to ensuring compliance with data regulations such as GDPR and the right to be forgotten, but to ensuring single sources of truth, security across multiple systems and the well documented impact that data issues can have on customer experience and brand loyalty.

Because of the importance of this issue, we want to start a conversation about a topic close to our heart at Identitii.

What is tokenisation, and is it better than encryption alone?

On the face of it, tokenisation and encryption seem similar. Most people have some understanding that they are used in a security context and that they appear frequently in articles about blockchain. They both protect data at rest and in transit. So far, so the same. But there are important differences, in particular around how they handle security and risk concerns.

Tokenisation is the process of turning a meaningful piece of data, such as a customer account number, into a random string of characters called a token that has no meaningful value if breached. Tokens serve as a reference to the original data, which cannot be used to guess those values. And because it uses cryptography to take hashes of information and store them on the blockchain network, it makes the records verifiable and tamper proof.

Encryption on the other hand is the process of using an algorithm to transform plain text information into a non-readable form called ciphertext. An algorithm and an encryption key are required to decrypt the information and return it to its original plain text format.

So, which is better for protecting data privacy and maintaining integrity?

It depends on what you’re using it for.

Identitii uses both. We use tokenisation in particular when it comes to exchanging information between parties as it provides an additional layer of permissioning and allows us to ‘share’ data without having to actually send it anywhere. It’s a more secure way to keep and move data both within an organisation and, perhaps more importantly, when it needs to be securely shared with trusted third parties such as regulators or across payment rails. Tokenisation allows for permissioning of the underlying data and the exchange of a pointer to an additional store without transferring the actual information, or in the example of a payment, the payload. This has applications in a wide variety of industries where data security and application performance are paramount.

Data integrity win.