Why End-To-End Encryption and Tokenization Should Be Common Standards for Payment Security

August 21, 2018         By: Drago Dzerve

Today, merchants — from the smallest mom and pop storefronts to the biggest names in big box retail — need to be prepared for breaches, especially when it comes to payments, in which personal customer data is at risk. According to the Ponemon Institute, nearly 60 percent of consumers go out of their way to avoid [recently] breached businesses. In an environment where it’s “not if, but when,” this presents a challenge for organizations who want to keep and maintain the trust of their customers.  

A common misconception is that, with EMV credit cards, encryption is not needed. This is not true since EMV cards transmit the card data in the clear, and that clear text data could be breached just like any other clear text card data. Therefore, the single biggest step for merchants is to eliminate the impact of a breach by ensuring that they are encrypting card data. This can be done with the most valuable and realistic forms of security, which is end-to-end encryption and tokenization.

End-to-end encryption uses a cryptographic algorithm and encryption keys to protect sensitive payment data. That way, sensitive payment data is encrypted as soon as it’s collected at the payment terminal, and it remains secure as it travels from the point of purchase to the processor. It is the best way for merchants to systematically eliminate card data from existing in payment systems.

At Verifone, we recently co-authored a new, even more advanced encryption standard, known as AES DUKPT, which grows the number of unique security keys used to encrypt payment data from 1.5 million to more than 2.4 billion. Put simply, this technology enables a higher level of encryption security and facilitates faster encryption, making payments safer, transaction process quicker and key replacement cycles longer. This is especially useful when applied to the modern retail environment in which merchants demand the absolute highest security, ultra-fast transaction processing and minimal maintenance for payments ecosystems.

Tokenization allows for the replacement of card data with a valueless representative of the original card number – making the data useless should it fall into the wrong hands. Alternatively, the valueless token is useful to merchants that wish to facilitate purchase returns in their stores. They are empowered to offer a frictionless omni-channel experience which is important to most shoppers today.  

While end-to-end encryption and tokenization do not eliminate the risk of a breach, merchants who utilize them can feel confident that their customer’s sensitive card data is being protected. We now live in a world in which consumers are holding organizations more accountable as high-profile breaches shed light on data security issues. Thankfully, innovative payment technologies, like AES DUKPT, will better enable a more secure payment environment.


Drago Dzerve is GM and VP of the North America Financial Services Group at Verifone. In his more than 18 years in the payments industry he has held leadership roles in software development, product management, business development and sales management. In these capacities, he has leveraged his broad ecosystem knowledge to address business challenges with the largest merchants, processors, brands and solution providers in the payments ecosystem.  Drago holds a bachelor’s degree in in Biology from Indiana University and an MBA from Rollins College in Winter Park, Fl.