In a media protection system and method, an original media item is encrypted before it is distributed. At the point of sale (POS) or point of distribution, the consumer presents his personal smart token to the clerk who inserts it into a POS reader along with a companion digital identifier (CDI.TM.). The POS reader extracts a digital key from the CDI.TM. and merges it with the player list in the consumer's smart token. The POS reader then destroys the CDI.TM. and returns the smart token to the consumer. The digital key for the media item is now stored on the consumer's personal smart token, merged with the player identifiers for the players possessed by the user. When the user returns home, he inserts the media item into his player along with his smart token, and the digital key is extracted and used to decrypt the encryption key for the material that is stored on the media item itself. Then, the player decrypts the media item as it is played. The consumer may remove the smart token, and the encryption key is stored in the player. If the consumer wants to play the media item in a player other than the one on his list at the time he bought the media item, he inserts his smart token in the new player and its public key is transferred to his smart token. He then inserts the smart token into one of his currently authorized players and activates a "new player" function, which generates a new set of records on the smart token encrypted with the public key of the new player and accessible only to the new player.