First Data

As mentioned in my last blog post a few weeks ago, Visa issued their initial guidance on tokenization best practices . Having discussions around tokenization, as an industry, is essential to its future. I like how Rob McMillon articulates the difference between a tokenization and encryption in his latest blog post.

Below, taken from Rob’s post, is a good glossary of terms that really differentiates encryption from tokenization and data substitution.

Token – A data substitute that is created using a random character generation process. The association between a token and the original value is maintained in an index database, and there is no direct mathematical relationship between the original value and the resulting token.

Tokenization – The act of creating a token.

Encryption – The application of a mathematical process to data to render the data unintelligible or unusable. Encryption is distinguished by being repeatable, reversible, or both. There is a direct mathematical relationship between the original and the derived value.

Data Substitution – The act of replacing data that has some form of inherent value with data that does not. The substitute data is used to support systems and processes in lieu of the sensitive data.

Again, I encourage you to provide your insight on this topic to Visa. They are accepting recommendations through August 31, 2010. Send your comments by e-mail to inforisk@visa.com with “Best Practices for Tokenization” in the subject line.