Tokenisation and Encryption

Digital transformation, “high tech” including AI and blockchains, has provided a multitude of opportunities for organisations to innovate by creating a leap in buyer value and delivering increased efficiencies across a wide cross-section of buyers. Individuals and businesses have therefore benefited tremendously from this transformation, but have also become susceptible to security threats and cyber criminality. In a study conducted by the Verizon Business RISK Team, more than 280 million payment card records were breached in 2008. The global financial market collapse not only created economic

headwinds of unprecedented proportions but also some of the largest data breaches in history also occurred in the same year. In fact, the study confirmed that if reasonable security controls had been in place at the time of the incident, the breaches could have been avoided in their entirety.

Compliance with security standards is a resource-intensive challenge to all businesses irrespective of size. Despite the enormous efforts and vast expenditure of businesses to secure their data, hundreds of millions of records have been breached and continue to be. For instance, in 2008, the Verizon Business RISK team highlighted that retail, financial services, and food and beverage accounted for three-quarters of the 2008 breaches. The majority of the records were compromised from servers and applications. In 66 percent of the cases, the breach involved data that the organization did not know existed on its servers. Data breaches have continued to plague numerous industries since 2008. In 2018, an unprecedented number of breaches occurred, varying in severity. Hacking groups injected malicious code into poorly-secured web pages of British Airways, which exposed the data of 380,000 customers, and in India, an ID database managed by the Indian Government was compromised, exposing the identity details and private information of 1.1 billion individuals. Two technologies utilised in the protection of data are encryption and tokenisation. Tokenisation and encryption are often mentioned together, and their definition is used interchangeably. While both are utilised as data obfuscation technologies, there are clear distinctions between the two. Both technologies can be utilised to secure data under varying circumstances, and in some instances, such as end-to-end payment facilitation, both encryption and tokenisation are used together.

Encryption is the process of using an algorithm to transform plain text information into a

non-readable form called ciphertext. An algorithm and an encryption key are required to decrypt the information and return it to its original plain text format. In symmetric key encryption, the same key is used to both encrypt and decrypt the information. In asymmetric key encryption, two different keys are used for encryption and decryption. Therefore, the private key can decrypt messages sent to an individual, but cannot decrypt what is sent to another part, as that is encrypted with another key pair. Today, secure sockets layer (SSL) encryption is commonly used to protect the information

as it is transmitted on the Internet. Using the built-in encryption capabilities of operating systems or third-party encryption tools, millions of people encrypt data on their computers to protect against the accidental loss of sensitive data in the event their computer is stolen. Data encryption can be expensive and a resource-intensive proposition. Tokenisation, on the other hand, is the process of converting a piece of data into a random string of characters known as a token. Tokenisation protects sensitive data by substituting non-sensitive data. The token serves merely as a reference to the original data, but cannot be utilised to determine those values. A credit card number, for example, is replaced within the merchant’s storage environment by a token value generated in such a way that it cannot be linked back to the original data element. The token value can, therefore, be used in numerous applications, some of which are considered in

this paper, as a substitute for real data (see Figure 1). The advantage of tokens is that there is no mathematical relationship to the real data that they represent. The real data values cannot be obtained through reversal, and hence, a breach renders the information invaluable.

Figure 1. Blockchain and tokenisation value framework.

Tokens are being increasingly used to secure varying types of sensitive information. In particular, personal identifiable information such as healthcare information, email addresses, and account numbers are such examples. From a security perspective, tokenisation significantly reduces risk based on the fact that sensitive data cannot be breached if it is not there in the first place. However, there are a number of other use cases where tokens create value such as the tokenisation of traditional financial assets

where liquidity creates barriers to entry, and tokenising these assets, for instance, using blockchain to convert rights into a digital token backed by the asset itself can solve this problem. We are likely to see an increase in the number of tokenised real assets including but not limited to real estate, where investors are able to own portions of real estate and collectibles such as art. The future will result in an environment of greater personalisation and customisation. In both instances, the token represents distributed ownership of the underlying asset’s value, but not the asset itself, democratising the process of ownership.

A new “tokenised” economy offers tremendous potential for creating a more efficient and

inclusive environment in which tangible and intangible assets can be traded through greater liquidity, accessibility, transparency, and faster and cost-effective transactions. Furthermore, tokenisation in essence allows you to compartmentalise personal data and manage them across different users simply and effectively. That data can therefore only be accessed by an entity that has the correct token. The information is secure and completely portable since the personal data is controlled by the individual and shared with permission, a stark difference to data that are being utilised currently.