GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Tough love in compliance and breach liability


Industry Update

Visa consolidates, restructures

Cabbies roll with VeriFone terminals

Negotiating the wireless security minefield

SPVA broadens membership base with global players


Esteban Marin

MWAA raises the conference bar year by year

Embry enters payment hall of fame

ControlScan extends involvement with ETA

Selling Prepaid

Prepaid in brief

Financial storm perfect for prepaid?

Keeping patients sticky

Triumphs and travails of kiosk deployments


Community counts

Biff Matthews
CardWare International

Consumers love rewards, why don't sales reps?

Lori Breitzke


Street SmartsSM:
The proper approach to MLS hunting

Jon Perry and Vanessa Lang

Seven reasons to avoid exclusivity

Adam Atlas
Attorney at Law

A case for case histories

Nancy Drexler
SignaPay Ltd.

The MLS opportunity

Christian Murray
Global eTelecom Inc.

Call reluctance: Diagnose it and treat it

Jeff Fortney
Clearent LLC

Digging into PCI:
Part 1 - Securing the network

Tim Cranny
Panoptic Security Inc.

Company Profile

First National Merchant Solutions

New Products

Advertise for free processing


Purchasing made easy and secure



As in work, so in life



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

August 10, 2009  •  Issue 09:08:01

previous next


The real story on tokenization

Your cover story, "Diverse perspectives on end-to-end encryption," dated May 25, 2009, states on page 63: One option, known as tokenization, is simply the use of a single, common encryption key by different parties up and down networks. It is considered by many to be a relatively uncomplicated way to avoid decrypting data when it's transferred, since each handler is privy to the original encryption formula.

This is an incorrect statement as it is describing encryption, not tokenization. As the person that coined the phrase tokenization as it is applied to payments, I urge you and your readers to read my 2008 white paper "Tokenization in Depth" - at

This white paper clearly defines that a token is not encrypted data; instead a token is simply a reference key to other data, in this case sensitive cardholder data.

Tokens, by definition, are not decryptable. The author of the article is describing a problem with one form of end-to-end encryption.

I guess the best way to distinguish the difference between an encryption solution and a tokenization solution is by example: One merchant has a plain text file on his server containing thousands of tokens. Another merchant has a plain text file on his server containing thousands of fully encrypted card numbers (for this example, the encryption doesn't really matter; it could be any strong cipher or hidden TDES [Triple Data Encryption Standard]), and further assume the encryption keys are secured in a Tamper Resistant Security Module (TRSM) that has not been compromised.

Both merchants get hacked and the files are stolen. Again assume TRSM has not been compromised; only the text files were stolen. The first is not considered a breach because true tokens do not contain cardholder data in any form, whereas the second is considered a breach because even though the card data is encrypted, it does contain cardholder data, and it has the potential of being decrypted.

There are big differences between tokenization and end-to-end encryption. Both have their strengths and weaknesses. I obviously have a bias for tokenization solutions; others have a bias for end-to-end encryption models. To me, the strongest solution would be a hybrid solution using an encrypted card reader feeding a tokenization solution. This would give you the strengths of both.

Steve Sommers
Shift4 Corp.


Thank you for taking the time to send us this explanation. We strive for accuracy in all that we publish, but sometimes we don't get it quite right. We will use your white paper as a resource when writing about this topic in the future.


When will my news appear?

If I submit a press release to you containing relevant industry news, when will it be posted? And will you let me know once it's done?

Mary Hebert
Ometz Payments Ltd..


We typically post press releases pertaining to the payments industry on the same day we receive them, but we do not notify parties who send us releases when they are posted. When your release is ready, send it to, and check News From The Wire on the left-hand side of our home page later in the day to see if it's been posted. If you do not see your news there, it's just fine to send us a follow-up e-mail.


#h4 Farewell to a payment champion

The payments industry lost a groundbreaker on July 17, 2009, when Paul William Noblett Jr. passed away. Noblett thrived on challenges and was instrumental in the growth of National Bancard Corp. (NaBanco), which is now First Data Corp.

A decorated veteran of the U.S. Army, he began his career in the industry by leading an intricate payroll automation project for the Army Finance Corp.

Noblett joined NaBanco in 1979, leading the company as operations manager through significant growth and acquisitions of several bank merchant portfolios. From 1983 to 1989, he worked for MasterCard International (now MasterCard Worldwide) where he oversaw, among other things, the deployment of Banknet, MasterCard's first global processing network. He then returned to NaBanco, which soon became one of the nation's largest acquirers.

In 1992, Noblett formed his own consulting firm, Noblett & Associates Consulting LLC. Mike McCormack, an Associate in the firm, said, "One of the things he specialized in was helping small and emerging ISOs and various technology companies in the acquiring space move up to the next level. ... Paul's legacy is one of bringing a very optimistic, proactive, enthusiastic perspective to things."

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios