With tokenization, the sensitive cardholder data obtained during a card transaction is replaced with a marker — or token — in the merchant’s system. A token is typically a randomly generated alphanumeric code that takes the place of the original data. Unlike encryption, the token number is not mathematically related to the original data. Retrieving the original data that was replaced by the token requires an index. The data is stored so when the merchant needs to access this information to issue a refund or for another reason, he/she can retrieve it.
Tokenization secures the information stored only after it is initially authorized or the original data is replaced with the token. Tokenization alone does not provide protection against data theft during transmission. While storage of the index of tokens and original data can be secured, tokenization still offers thieves the ability to retrieve millions of records if any element of the security on the data store is weak. The best alternative is not to create a potential vulnerability at all.
As currently designed, E3 will apply the beneficial elements of post-processing tokenization. Once the data reaches the card brands — encrypted — merchants can receive tokenized authorizations to use for easier refunds, returns and chargebacks. Because the token keys are retained by the cards brands, it is unlikely that the data will wind up in the wrong hands.