5 Questions About Payment Tokenization

There are strict rules put in place by PCI DSS to ensure that any business (regardless of size or industry) that comes into contact with credit cards must abide by in order to help maintain a safe and healthy ecosystem. Part of remaining PCI-compliant dictates sensitive data must not be stored. This is where payment tokenization comes in.


1. What is it?

Tokenization’s main goal is to prevent customer payment information from falling into the hands of thieves. Tokenization minimizes the amount of sensitive data a business keeps on hand by replacing the data with a virtual token: a unique string of numbers. So rather than sensitive customer information, merchants store and pass around a token instead. With tokenization, transactions can be processed while keeping sensitive details safe from prying eyes.

2. How does it work?

Tokenization takes sensitive information and replaces it with a token. For example, credit card numbers are replaced with a token that is a randomly generated number and mirrors the format of a credit card number. What’s stored on your database on the back-end is the token but on the front-end is a masked credit card number containing only the last four digits of the card (**** **** **** 1234). Tokens help keep customers’ sensitive data safe during the purchase as well as for subsequent transactions.

3. What is it used for?

Mobile payments

Whether it’s an Apple Watch or a smartphone, any payment made with a digital wallet via NFC is made secure by tokenization.

  • Customers input and save their payment card information in the digital wallet.
  • Tokenization ensures that the information is saved so that once enabled, consumers can simply pay with a tap but no actual sensitive information is saved. For example, Apple doesn’t see any consumer data when Apple Pay is used.

eCommerce transactions

When customers create an account and save payment information on an online shopping site, tokenization enables the data to be saved as a token that can be used for future purchases. While the full card number is not shown, customers identify the card by the last four digits.

  • The customer enters and saves their payment information on the merchant site.
  • A customer profile and token are created and returned to the merchant.
  • For future purchases, the merchant sends the token to the gateway to process the transaction.

Recurring payments

Tokenization has paved the way for recurring billing models to emerge. If you have ever signed up for any subscription-based services like Netflix, gym memberships, or products like BarkBox, your automatic payments are facilitated by tokenization.

  • Customer card details are tokenized and stored, ready to be used for subsequent transactions.
  • Once customers are subscribed to a recurring billing plan, they are automatically billed for every billing cycle.

Payments within apps

Tokens are used for payments made within apps. Customers can save their payment information but the apps will never see it because all they have access to are tokens.

4. Why is it safer?

Tokens are meaningless on their own and are worthless to criminals if they somehow obtain them. The tokens are randomly generated, rather than generated mathematically, and there is no algorithm to regain the original card number unless you have the original key used to create the token. What this means is that even if thieves were to get ahold of the tokens, they would not be able to use the stolen tokens because they can’t access the sensitive credit card information.

5. What’s the difference between tokenization and encryption?

While tokenization replaces sensitive information with a virtual token, end to end encryption encrypts the sensitive information both when it enters and exits merchant systems.

Both security features contribute to the same goal of reducing the scope of PCI compliance and the amount of sensitive information stored on a merchant’s systems. Traditional terminals in brick and mortar stores use end to end encryption, while tokenization is utilized in online and digital transactions.

As EMV (chip cards) continue to combat in-store fraud, tokenization is crucial to keeping payment information safe in online and digital environments. While tokenization itself is not enough for merchants to be fully PCI-compliant, it is a large part of reducing the scope and protecting both your business and your customers’ data.