Skip to main content

Posted June 23, 2016



If you’ve ever been handed a casino chip, you’re already familiar with the concept of tokenization. That small disc of valueless plastic represents something of real value: your $50 winnings. Outside of the casino and into the world of plastic card, contactless, and web-based payments, tokenization is a security solution being adopted by industry stakeholders. But rest assured, they’re not taking their tokens to the poker table. When it comes to protecting customers’ sensitive financial information, they’re not interested in placing any bets.

The word “tokenization” has been passed around in countless industry articles and it represents—no pun intended—the future of payments security. Let’s take a high-level view of tokenization by covering the basics:

What is tokenization?

The term was coined by token service provider Shift4 to describe the concept of using a non-decryptable piece of data to represent, by reference, sensitive or secret data—that data being credit card payments information. Put simply, the process of tokenization removes a person’s actual credit card data from a company’s internal networks and replaces it with an organically random, alphanumeric, globally unique ID called a token that passes seamlessly through the payments system.

What types of payments are protected by tokenization?

Tokens can be used for transactions involving:

  • Plastic payment cards—debit and credit cards, loyalty cards, gift cards
  • Mobile NFC payments—e.g. Apple Pay and cloud-based payments
  • E-commerce and m-commerce payments—card-on-file data

What makes tokenization a hot topic today?

With the global use of NFC payments, the growing adoption of mobile payments, and the ubiquity of e-commerce, consumers demand security. Merchants need to ensure their customers’ data and internal processes are safeguarded, especially as fraud rates climb and news of data breaches fill the headlines.

How does tokenization address a merchant’s payments security concerns?

Tokenization removes the risk inherent in storing, processing, or transmitting confidential customer credit card data via internal computers and networks—while retaining that information’s value. Because tokens are not mathematically derived, predictable, sequential, or have a 1-to-1 relationship with the actual card number, they’re virtually meaningless to anyone (i.e. criminals) outside of the tokenization system seeking access to the underlying data. What’s more, tokens are domain-specific, so if an EMVCo token is designated for a contactless NFC card payment transaction it cannot be used in place of card-on-file data that’s stored on acquirers’ systems—or vice versa.

What about industry compliance?

Tokenization actually simplifies the merchant’s compliance with industry standards and government regulations (e.g. PCI DSS requirements). Since their systems don’t store or process “real” data, they no longer need to provide the same level of security protection.

How does tokenization differ from encryption?

In short, there’s no way for someone to reverse engineer a token. Encryption uses a mathematical process, or algorithm, to make cardholder data unusable. It results in a direct relationship between the original data and the encrypted data, making it decryptable.

Does using a token change a merchant’s payment process?

No. A customer’s real card data is stored with their token service provider at a highly secure, centralized location called a token vault. Merchants use only the token during customer payments transactions, which may include sales, refunds, voids, and credits. And since tokens are formatted to look like the card’s (typically 16-digit) primary account number, they pass all standard checks used for routing and validation.

Tokens travel through the payment’s infrastructure: for example, from the e-commerce “shopping cart” to the merchant’s system to the payment network to the token service provider’s token vault. The token service provider holds the “key” and is therefore the only entity involved in authorizing a transaction. This process is called de-tokenization, and it occurs in a secure environment, allowing for processing and reconciliation using the tokenized card’s actual number.


Credit Card Tokenization 101 — And Why it’s Better than Encryption from 3 Delta Systems

PCI DSS Tokenization Guidelines from PCI Security Standards Council



Corporate Payments Insights