EMV vs. Tokenization vs. Encryption: Explaining the Difference
The payments world is abuzz with terminology related to security. In this big breach world, we’ve all grown accustomed to tossing these solutions out: EMV, tokenization, encryption.
We know that tokenization and encryption can be used together to help protect merchants from fraud. And EMV, well, the liability shift coming in October signals a change in the way we protect cardholders from fraud with signature-related efforts.
But what’s the actual difference between all of these solutions? How do they help protect against fraud? Let’s explore.
The biggest difference between these fraud solutions has to do with where the security is taking place.
With the Card – EMV
EMV is related to the card itself. Sometimes called “chip-and-pin” or “chip-and-signature,” these cards have a microprocessor chip that stores the payment data instead of on the magnetic stripe. These chips encrypt a unique digital signature for each purchase, and they require either a PIN entry or signature along with each purchase. These cards aren’t swiped; you have to “dip” them instead: insert the card into the terminal slot and wait.
However, some EMV cards can process using NFC (near-field communication), which means the card does not have to be “dipped,” but it can be processed by a tap against a scanner.
In the Hardware – Encryption
Encryption is a security effort that happens in the read head of card processing hardware. This is directly related to card readers and terminals. Encryption occurs before authorization, as the data is “hanging out” after it has been capture. Encryption will turn the card data into unreadable ciphertext, which is only decryptable using a secret key.
During the Transaction Process – Tokenization
Tokenization happens prior to authorization, during the transaction process. Tokens replace card data with a surrogate value. This value is passed along during the transaction, while the real data is kept safe in a secure server. The tokens are worthless, so criminals that access them during transport won’t find any value in them. Tokenization is something that can be integrated using something like Forte.js, which allows you to create a payment form that uses a one-time token for each transaction. Forte stores the sensitive data on our PCI compliant tier 1 data centers, so the burden is lifted from you.
As you can see, all three of these solutions operate in different ways. It makes sense to layer them in order to create the most beneficial fraud prevention solution for you. For more information on these tools, feel free to give us a call at 866.290.5400.
Photo credit: Aaron Escobar