Resource center
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Topic
Region
Perspectives

A guide to payment tokenization

Tokenization replaces sensitive payment data with a surrogate value. It makes payments safer for everyone.

Link to the author's page
Max Lamond
June 3, 2026
Link to the author's page
A guide to payment tokenization

Key points

  • The two main types of payment tokenization are PCI tokenization (which masks the stored payment data in the merchant’s environment) and network tokenization (which uses surrogate data in place of the customer’s PAN through authorization).
  • Digital wallet tokenization is a type of network tokenization used specifically in the case of digital wallets, such as Google Pay, Apple Pay and Samsung Pay.
  • Use cases for payment tokenization include mobile payments, one-click payments, and recurring payments (such as subscriptions). 
  • In 2025, Checkout.com’s tokenized payments saw up to 10.3 ppt higher authorization rates compared with non-tokenized cards.

Payment tokenization enables safer, faster payments that are more likely to be authorized on the first attempt. It often boosts customer experience, too. You can use different types of payment tokens depending on your business needs, but the general purpose is to protect a customer’s payment details from theft or misuse while transaction requests travel from point to point.

Depending on which countries you’re taking payments in, you may need to use payment tokenization to comply with national and regional regulations. And any business taking payments needs to be aware of PCI DSS requirements, which include protecting sensitive payment details – payment tokenization being a common strategy for compliance.

There are important financial benefits that can come from tokenizing your payments with scheme-backed network tokens: in 2025, we measured a global 10.3 ppt improvement in approval rates on tokenized transactions versus non-tokenized ones. This means more revenue capture for your business – an additional 7.2% in gross sales revenue – thanks to higher authorization rates and savings on fraud-related chargebacks. 

Network tokenization: up to 10.3 ppt higher authorization rates. Read white paper.

What is a payment token?

When making a payment, such as buying something with a credit card, messages are sent back and forth to various parties. In theory, a cybercriminal could intercept one of these messages to access data such as a customer’s credit card details. To avoid potential theft of financially-sensitive data, it’s increasingly common to tokenize a payment: replacing the cardholder’s primary account number (PAN), CVV and expiry date with a string of characters known as a “token.”

The token doesn’t have any meaning outside of the transaction, so it cannot be linked back to a customer’s bank account. It’s algorithmically-generated by a token provider each time a request is made. 

How does payment tokenization work?

The token is created (or “provisioned”) at the moment it’s needed, and acts as a surrogate for the PAN. That means the merchant does not store or send the customer’s sensitive payment details – instead, the token is inserted into the transaction request, helping to limit the PCI scope.

Here’s a quick overview of the payment tokenization process for a customer-initiated transaction (for example, someone buys a pair of trainers on a retailer’s website):

  1. A customer enters their card details into the payment gateway on the merchant’s website.
  2. The merchant’s payment gateway sends a request to a payment service provider (PSP), which tokenizes the customer’s credit or debit card numbers.
  3. The PSP returns the token reference to the merchant and stores the mapping of the token to the payment credential data in a secure vault of the merchant’s choosing.
  4. The merchant's payment gateway may provision a network token for the card and use it to request authorization of the payment from the card scheme (such as Visa or Mastercard) via the issuer.
  5. The issuer successfully authorizes the payment, notifies the merchant, and the payment is completed.
  6. The merchant can request the token for future merchant-initiated transactions or customer-initiated transactions from that customer – for example, on recurring payments, refunds, or one-click checkout.

For now, not every payment made online is tokenized. However, Mastercard and Visa have separately pledged to ensure every online payment via their networks are tokenized by 2030. The goal is to reduce reliance on exposed PANs and improve security, fraud prevention, and payment performance across the ecosystem.

Payment tokenization is, for example, particularly useful for businesses that rely on recurring payments (such as subscriptions) and ecommerce sites looking to reduce friction at the checkout. We’ll explore that in more detail below, though – in the meantime, let’s take a closer look at the different types of payment tokenization.

Types of tokenization

Payments vs blockchain
It’s worth quickly defining the difference between payment tokenization, which means replacing sensitive payment data with a surrogate value, and crypto tokenization, which refers to converting ownership rights or another asset into a blockchain-based token. For the purposes of this article, we’ll only refer to the former.

There are various types of payment tokenization, named according to how and where the tokens are used. For instance, payment card tokenization is the generic term for the process of replacing the PAN on a cardholder’s card with a token. You may see the term “credit card tokenization” used to refer to replacing the PAN on a credit card, though payment card tokenization can take place with debit cards, too. 

There are two main forms of payment card tokenization. The first is vault tokenization – sometimes referred to as PCI tokenization or proprietary tokenization – where a payment provider replaces the PAN with a token and stores the original card data in a secure vault. Other names for a PCI token include gateway token, PSP token, acquirer token, merchant token, or vault token, depending on who creates and manages it.

The second is network tokenization, where a card network (such as American Express, Mastercard or Visa) provisions a token that represents the underlying payment account. This model is based on the EMV Payment Tokenisation Specification, so you may also see network tokens referred to as EMV payment tokens. These tokens are limited to a specific use (known as the “domain of use”) such as a certain merchant, device, wallet or payment scenario.

You can learn more about network tokens in our dedicated guide.

PCI tokenization: purpose, scope and management

PCI tokenization’s role is to protect the cardholder data stored by merchants, payment processors, and other entities in the payments ecosystem. PCI tokens are typically used in the merchant/gateway environment to reference stored card details, usually via a token vault, and can be used across the merchant’s internal systems. Therefore, such tokens are usually bound to the PSP, gateway, acquirer or token vault that issued them, and generally cannot be used interchangeably across PSPs.

Differences between PCI tokenization and network tokenization


Both PCI tokenization and network tokenization reduce the risks associated with storing sensitive payment information and can help merchants achieve their desired level of PCI compliance. The key distinctions between them are who issues the token, where the PAN-to-token mapping is managed, and how far through the payment flow the token is used. 

A PCI token is managed by the merchant, PSP or tokenization provider, and maps back to card data stored in a secure vault. The PCI token protects the PAN inside the merchant or payment provider’s environment, but the PAN may still be converted back into the original card details before being sent for authorization. 

A network token is issued by a card network, and stands in place of the underlying payment account in a digital transaction. The network token may be tied to a specific merchant, device, wallet, or payment scenario, and can be used through the transaction flow, including authorization, without exposing the PAN. 

In practice, both types can complement one another: it’s common to configure PSP tokens to map to network tokens, which means provisioning the network token at the appropriate point in the payment flow.

Digital wallet tokenization

You will also see the term digital wallet tokenization, a form of network tokenization where the card network replaces the card’s Funding Primary Account Number (FPAN) with a Device Primary Account Number (DPAN): a device- or wallet-specific token that represents the underlying payment account for digital transactions. 

Put simply, when someone adds a card to their digital wallet, such as Apple Pay or Google Pay, the card’s FPAN is not used directly for wallet transactions. Instead, their card network replaces the card’s sensitive data (its PAN, CVV, and expiry date) by issuing a DPAN, a surrogate value for the payment account. These are stored within a secure element or trusted execution environment (TEE) on the cardholder’s device (such as a smartphone or smartwatch).

Then, whenever the customer pays with that device, the digital wallet only provides the token to the merchant – thus masking the original card details.

Agentic tokens

A newer use case of network tokens is emerging: agentic tokens, which let AI agents transact on a user’s behalf under a defined set of constraints. Schemes are still defining the language around this new technology, as it develops. 

Visa describes “agent-specific payment tokens” that will ensure agents make secure transactions on behalf of a human. AI agents will be onboarded onto the Visa Intelligent Commerce platform and enable users to add their Visa cards for use in specific purchases.

Mastercard describes agentic tokens as “secure cryptographic credentials that safeguard sensitive payment data, improve approval rates and enable programmable transaction-level controls” and ensure every transaction is both traceable and authenticated.

Follow our latest blog articles on agentic commerce to learn more. 

Benefits of tokenization for payments

Modern merchants use payment tokenization to provide better customer experiences such as one-click payments and faster checkout. Tokenized payments are also more likely to be authorized by issuers, so there are fewer false declines – where a customer’s payment fails due to a false fraud flag. That means you can end up with more profitable payments, as revenue capture often improves.

There are seven main benefits of payment tokenization:

  1. Improve security
    Tokenization helps protect sensitive payment data by limiting where full card details are exposed. In digital wallets, it also works alongside device-level security features such as biometric authentication, adding another layer of protection for the customer.

  2. Reduce the impact of data breaches
    If tokens are exposed in a breach, they are far less useful to attackers than raw card details. Because tokens are restricted to specific environments, merchants, devices, or use cases, they cannot usually be used elsewhere.

  3. Support higher authorization rates
    Network tokens can help issuers recognize legitimate transactions more reliably, especially for repeat customers and card-on-file payments. They can also be kept up to date when card details change, reducing failed payments caused by expired or replaced cards. In 2025, Checkout.com measured a 10.3 ppt increase in approval rates on tokenized versus non-tokenized transactions.

  4. Decrease false declines
    Tokenized transactions can provide issuers and payment providers with more consistent, reliable payment data. This can help them distinguish genuine customers from suspicious activity more accurately, resulting in fewer false declines.

  5. Limit PCI DSS scope
    Tokenization can reduce the amount of sensitive card data a merchant stores, processes, or transmits. This can simplify PCI DSS compliance, and mean merchants avoid the responsibility of handling the most sensitive types of financial data.

  6. Enable faster, more convenient checkout
    Tokenization supports payment experiences such as card-on-file payments, subscriptions with auto-updates on expired cards, and one-click payments. This helps customers pay quickly without needing to re-enter all the numbers each time.

  7. Reduce fraud-related chargebacks
    Network tokens can reduce financial losses from chargebacks on payments flagged as fraudulent. This is because they reduce the risk of payment fraud, thanks to masking the PAN and making PCI-sensitive data harder for fraudsters to steal. In 2025, Checkout.com measured a 49% reduction in fraud-related chargebacks thanks to network tokens.
Cut fraud-related chargebacks by 49% with network tokens. Read white paper

What kind of businesses benefit most from using payment tokenization?

All merchants taking online payments can benefit from using tokens, owing to the potential for improvements in authorization rates, payment data security, and reduced fraud. In particular, merchants looking to limit their PCI compliance scope to SAQ-A should use payment tokenization to avoid handling raw payment data.

Ecommerce and retail

Ecommerce businesses can use payment tokenization to save their customers’ card details on file securely.

This means that when a returning customer comes to pay, the merchant can enable a faster, smoother experience at the checkout – reducing friction and driving down cart abandonment rates. For example, retail merchants can safely offer one-click checkout  for returning customers by making use of tokenized payment credentials. 

This can work even if the customer has never been to your website or app before: Remember Me from Checkout.com eliminates the need to re-enter information at different merchants because it works across our entire network of merchants. 

Subscriptions: digital goods, streaming, and services

For businesses operating on a subscription model, payment tokenization – using network tokens, specifically – ensures payment details are automatically refreshed, significantly reducing the chances of card declines due to card expiry, loss or theft. Network tokens help with lifecycle management, which is crucial to ensuring payment continuity for subscribers and repeat customers when their payment details update – for instance, when an out-of-date card is replaced with a new one. Tokenizing the payment credential removes the need for customers to manually update their payment information, and can help to reduce payment failures and customer churn

Platform businesses and marketplaces

With multiple parties involved, payment flows become operationally complex, and security can be harder to guarantee. Platforms and marketplaces use payment tokenization to let multiple sellers and services charge the same buyer credential without exposing or storing the raw PAN. Payment tokenization provides a streamlined way to enhance security at scale, helping to boost the trust and confidence of every party using an ecommerce platform. Tokens can also help to link customer’s payment credentials across a merchant’s app, website, and wallet, enabling a more consistent experience with the brand.

Merchants with customer loyalty programs

Payment tokenization can help businesses run card-linked loyalty programs without storing raw card details. A tokenized payment credential can be linked to a customer’s loyalty profile, so points or rewards can be applied automatically when they pay. For network tokens, markers such as a Payment Account Reference (PAR) can help connect different tokens for the same underlying payment account across channels, wallets, or updated cards. This gives businesses a safer way to recognize repeat customers and deliver a more consistent loyalty experience. This is particularly helpful for merchants competing to retain customers in competitive industries such as fashion, food, beauty and wellness.

How Checkout.com helps with payment tokenization

As a fully licensed provider, Checkout.com can provision PCI tokens for you, and request network tokens from card schemes like Mastercard or Visa on your behalf.

If you opt for our managed service, we take care of all the data, updates, storage, and optimization for you, so you can worry less about security and compliance and focus more on growing your business. Or you could choose to manage your own solution, which means you’ll have full flexibility and ownership of your tokens. You can also use our Forward API to transport payment credentials and tokens to another service provider, giving you maximum flexibility.

If you use our Intelligence Acceptance product, you can enjoy all the benefits of network tokens without any additional integration. Intelligent Acceptance adds machine learning and dynamic decisioning to use network tokens where they work the best. It employs network tokens only if they’re supported by the issuer, and, for each transaction, utilizes AI and machine learning to decide whether to use network tokens or PAN credentials based on which offers the best performance and cost benefits. 

Whether you use network tokens as a standalone solution or via Intelligent Acceptance, our data shows that, on average, you could see a 3% increase in acceptance with Visa and Mastercard. Speak to a member of our team to find out more about how to use Network Tokens to lower costs, reduce fraud and boost acceptance with Checkout.com.

Download PDF

Learn how Checkout.com supports safer payments with Mastercard
Read white paperRead white paper
Back to top button

Most recent articles

How we’re using AI to accelerate our velocity and compound our learning
Blog
Jun 1, 2026

How we’re using AI to accelerate our velocity and compound our learning

Read article
My Path in Payments: Sarah Boehmer, Senior Director, Payments & Chargebacks Strategy at justt
Blog
May 11, 2026

My Path in Payments: Sarah Boehmer, Senior Director, Payments & Chargebacks Strategy at justt

Read article
Issuing meets acquiring: Better together on a single platform
Blog
Apr 30, 2026

Issuing meets acquiring: Better together on a single platform

Read article
OpenAI’s agentic commerce shift: What it means for merchants
Blog
Apr 20, 2026

OpenAI’s agentic commerce shift: What it means for merchants

Read article
MRC collaboration: Thriving starts with education
Blog
Apr 16, 2026

MRC collaboration: Thriving starts with education

Read article
The profit formula: How to balance revenue, fraud, and costs at checkout
Blog
Apr 9, 2026

The profit formula: How to balance revenue, fraud, and costs at checkout

Read article
How Checkout.com helps enterprises improve money movement efficiency with Visa Direct
Blog
Apr 1, 2026

How Checkout.com helps enterprises improve money movement efficiency with Visa Direct

Read article
Payment tracking update: What is Mastercard TLID?
Blog
Mar 24, 2026

Payment tracking update: What is Mastercard TLID?

Read article
How we build at Checkout.com
Blog
Mar 19, 2026

How we build at Checkout.com

Read article
How to issue an effective payments RFP
Blog
Mar 1, 2026

How to issue an effective payments RFP

Read article
Business expense cards: what are the benefits?
Blog
Feb 27, 2026

Business expense cards: what are the benefits?

Read article
What the Gartner® Market Guide reveals about the future of digital payments
Blog
Feb 26, 2026

What the Gartner® Market Guide reveals about the future of digital payments

Read article
Return to home
June 3, 2026 11:00
June 3, 2026 11:00