Tokenization is the process of replacing sensitive payment card data, specifically the primary account number, with a non-sensitive substitute value called a token. The token can be stored, transmitted, and used to process payments in place of the actual card number, while the real card data is stored securely in a token vault maintained by the tokenization provider. A token has no exploitable value outside of the specific system it was issued for, making it useless to fraudsters if intercepted or stolen.
Tokenization is one of the primary mechanisms used to reduce PCI DSS compliance scope for merchants and to protect stored payment credentials from data breaches. Because merchants store and transmit tokens rather than real card numbers, a breach of their systems exposes token values rather than actual card data.
Two distinct tokenization ecosystems exist in payments. Merchant tokenization, provided by payment gateways, replaces the PAN with a merchant-specific token for recurring billing and stored credential use cases. Network tokenization, provided by card networks through programs such as Visa Token Service and Mastercard Digital Enablement Service, replaces the PAN with a network-issued token that improves authorization rates and provides lifecycle management benefits.
Diving Deeper into Tokenization
Tokenization addresses one of the most fundamental tensions in payment security — the need to store and reuse payment credentials for legitimate business purposes such as recurring billing and one-click checkout, while minimizing the risk of those credentials being stolen and used fraudulently. The solution is elegant: store a surrogate value that is useful for its intended purpose but worthless to anyone who steals it.
The concept is simple but the implementation varies significantly depending on the type of tokenization, who issues the token, and how the token is used in the payment flow.
How Tokenization Works
The tokenization process begins when a cardholder submits payment credentials for the first time. The payment gateway or tokenization service receives the PAN and immediately stores it in a secure, isolated token vault. The vault generates a token — a random string of characters that often mimics the format of a PAN to minimize changes required to downstream systems — and returns it to the merchant’s system. From that point forward, the merchant’s system works with the token rather than the PAN.
When the merchant needs to process a subsequent transaction using the stored credential, they submit the token to the gateway. The gateway looks up the corresponding PAN in the vault, substitutes it into the authorization request, and processes the transaction normally. The merchant never handles the actual PAN after the initial tokenization.
Merchant Tokenization vs. Network Tokenization
The two tokenization ecosystems serve different purposes and operate at different layers of the payment stack.
Merchant Tokenization
Merchant tokenization, sometimes called gateway tokenization, is provided by the payment gateway and is scoped to that gateway’s environment. The token issued is specific to the merchant-gateway relationship — it cannot be used to process payments through a different gateway or directly with a processor. If the merchant switches gateways, they must re-tokenize their stored credentials or migrate tokens between systems.
Merchant tokenization substantially reduces PCI DSS compliance scope by removing actual card data from the merchant’s systems. A merchant who has tokenized all of their stored credentials and uses point-to-point encryption at the terminal level may qualify for significantly simplified PCI compliance validation compared to a merchant who handles raw card data.
Network Tokenization
Network tokenization is issued by the card networks themselves through programs such as Visa Token Service and Mastercard Digital Enablement Service. A network token is tied to a specific domain — a specific merchant, device, or channel — and is issued by the card network rather than the gateway. The actual card number is stored in the network’s token vault, not the gateway’s.
Network tokens have several advantages over merchant tokens that make them the preferred tokenization approach for high-volume merchants and sophisticated payment implementations.
Network Token Benefits
Network tokens are portable across gateways and processors because they are issued by the card network, not a specific gateway. A merchant can switch processors without re-tokenizing their stored credentials.
Network tokens receive automatic account updater functionality. When a cardholder’s card is reissued due to expiration or replacement, the card network automatically updates the token to point to the new card without any action required from the merchant or cardholder. This eliminates a significant source of involuntary churn in subscription businesses where stored credentials expire or are replaced.
Network tokens typically achieve higher authorization rates than transactions submitted with raw PANs because issuers can apply more precise risk scoring to tokenized transactions and because the token signals that the payment is being made from a trusted device or merchant domain. Some card networks report authorization rate improvements of one to three percentage points for tokenized transactions versus raw PAN transactions.
Tokenization and PCI DSS
Tokenization is one of the most effective tools merchants have for reducing their PCI DSS compliance burden. PCI DSS requirements apply to systems that store, process, or transmit cardholder data. By replacing actual card numbers with tokens in all systems other than the secure token vault, merchants can significantly reduce the number of systems that fall within PCI scope.
The token vault itself remains in scope and must be protected according to PCI DSS requirements, but the vault is typically maintained by the gateway or network provider rather than the merchant, meaning the merchant benefits from the compliance work done by a specialized provider rather than having to secure card data in their own environment.
Tokenization in Mobile Wallets
The tokenization process is central to how mobile wallet payments work. When a cardholder adds their card to Apple Pay or Google Pay, the card network issues a device-specific token that is stored in the phone’s secure element. When the cardholder makes a payment, the token — not the actual card number — is transmitted to the terminal. If the token is intercepted, it has no value outside of that specific device and payment context.