A guide to payment tokenization

Learn what payment tokenization is and how it works

Link to the author's page
Eerik Durejko
March 28, 2024
Link to the author's page
A guide to payment tokenization

Despite being one of the biggest rising forces in payments, tokenization is still an unknown entity to many people outside of the industry.

Whether you know about it or not, though, chances are you enjoy tokenization’s myriad benefits every day – either as a merchant, a customer, or both.

Tokenization is what makes many online and digital wallet purchases possible. It enables safer, faster one-click payments, reduces fraud, and boosts authorization rates – while sending abandoned cart rates in the opposite direction.

But what is payment tokenization, exactly – and how does it work? What are tokenization’s different types, use cases, and benefits? What does its future hold – and how can Checkout.com help you adopt this game-changing way to secure the payments you accept?

Let’s find out. 

What is tokenization in payments?

Payment tokenization is the process of replacing sensitive data in a transaction (such as the cardholder’s primary account number, or PAN) with non-sensitive data, called ‘tokens’.

These tokens don’t have any value or significance outside of the transaction. Instead, they’re simply random values: ‘references’ that relate back to the tokenized payment data and allow it to traverse the networks it needs to complete the transaction – without the risk of data theft.

How does payment tokenization work?

When an online transaction takes place (be it through a credit or debit card or a digital wallet), an algorithm generates a ‘token’ to replace the customer’s PAN.

This token, created for a fee and essentially a unique string of numbers is issued in real-time, and acts as a secure identifier of, or surrogate for, the PAN. This means the actual PAN doesn’t have to be transmitted – which makes the whole process more secure and safeguards the cardholder’s details should a data breach occur.

Due to the inherently random generation of tokens and their uniqueness to each customer’s card at a merchant, the challenge for nefarious actors to successfully predict or take advantage of these tokens is significantly heightened. This robust security measure remains effective even under circumstances where a transaction may be compromised, ensuring that access to the tokens does not inherently lead to their exploitation.

If anyone intercepts a payment transaction where merchant only mentions the token reference then the interceptor cannot derive the original card details from the token reference.

Here’s a quick overview of the payment tokenization process:

  • A customer initiates a transaction through a merchant’s online checkout page: entering their card details into the payment gateway on the seller’s website.
  • The merchant’s payment gateway sends a request to a payment service provider, which tokenizes the customer’s credit or debit card information.
  • The PCI compliant payment service provider returns the token reference to the merchant and stores the mapping of the token to the payment credential data.
  • The merchant's payment gateway may provision network token for the card and use the network token - instead of the original card data - to request authorization of the payment from the card scheme (such as Visa or Mastercard) and the customer's bank
  • After the issuing bank successfully authorizes the payment, they notify the merchant, and the payment is completed.
  • The merchant can then store the token for future transactions from that customer – be it for recurring payments, refunds, or to enable one-click payments – without falling foul of PCI DSS (Payment Card Industry Data Security Standard) compliance requirements.

Not every payment made online is tokenized by default. Payment tokenization is an added security measure, and whether you – as a merchant – apply it to your transactions will depend on your industry, your payment setup, your needs, and your customers’ preferences.

Payment tokenization is, for example, particularly useful for businesses that rely on recurring payments (such as subscriptions) and ecommerce sites looking to reduce friction at the checkout. We’ll explore that in more detail below, though – in the meantime, let’s take a closer look at the different types of payment tokenization.

What is credit card tokenization?

Credit card tokenization is simply the process of replacing the PAN from a credit card with an unrelated number sequence, otherwise known as a token. In other words, it’s just a specific type of payment tokenization. Debit cards and digital wallets can also be tokenized. 

Different types of tokenization

There are three different types of tokenization: network, PCI, and digital wallet. 

The key distinctions between network and PCI tokenization are which parties are responsible for issuing and storing the token and can read the original card details. A network token is issued by a card scheme, is linked to a specific device, and replaces card details at every stage of the transaction. A PCI token is managed by the merchant or payment gateway and only replaces the card at a specific endpoint, meaning that the card details are revealed to the network and issuer.    

Digital wallet tokenization is a form of tokenization used exclusively for digital wallets like Apple and Google Pay.  

Each type has a specific use case in the payment ecosystem. Below we go into more detail about the different types of tokenization. 

Network tokenization

The main role of network tokenization is to secure cardholder data during payment transactions by replacing the customer’s PAN with a token, improve acceptance rates and enables less friction via realtime token lifecycle updates which always keep network tokens up to date and are inherent to network tokens.

Initiated and managed by card schemes (including American Express, Discover, Mastercard, and Visa) or payment service providers (such as Checkout.com), network tokenization is the kind of tokenization we’ve been discussing so far in this article.

Card-on-file network tokens, while designed to be merchant-specific, offer a level of interoperability across various acquiring rails, provided they are utilized by the same merchant. This ensures that these tokens can facilitate transactions seamlessly across different payment gateways worldwide, as long as the transactions remain within the merchant's ecosystem. Additionally, it's important to note that these tokens are typically confined to the ecommerce channel. This restriction not only streamlines their use but also adds an extra layer of security by preventing their potential fraudulent use across other channels.

PCI tokenization

PCI tokenization’s role is to protect the cardholder data stored by merchants, payment processors, and other entities in the payments ecosystem.

Remember how tokens can be saved to enable quicker, more seamless recurring payments? Well, PCI tokenization is responsible for reducing the risk associated with storing this sensitive payment information and helping merchants achieve PCI compliance

Whereas the card schemes run network tokenization, PCI tokenization is managed by the entities actually storing the cardholder data. PCI tokens can be employed across a range of platforms and systems in an organization as a replacement for actual credit and debit card data.

What’s more (and, again, unlike network tokenization), PCI tokens are generally stored in the secure token vaults of the company that initiates the process – not on the cardholder’s device.

Digital wallet tokenization

Digital wallet tokenization is a type of network tokenization used specifically in the case of digital wallets, such as Google Pay and Apple Pay.

When a cardholder adds a credit or debit card to their digital wallet, the card’s sensitive data (its PAN, CVV, and expiry date) are replaced as a token which serves as the card’s reference. These are stored within a secure element or trusted execution environment (TEE) on the cardholder’s device (such as a smartphone or smartwatch).

Then, whenever the customer pays with that device, the digital wallet only provides the token to the merchant – thus masking the original card details.

What kind of businesses benefit most from using payment tokenization?

Payment tokenization adds an extra layer of security to an online transaction that all merchants and customers (as we’ll see below) can benefit from.

But there are some industries and use cases that payment tokenization is particularly helpful for – so let’s unpack them in more detail.


Ecommerce businesses can leverage payment tokenization to save their customers’ card details on file securely.

This means that when a returning customer comes to pay, the merchant can enable a faster, smoother experience at the checkout – reducing friction and driving down cart abandonment rates. Better still, tokenization can help ecommerce businesses demonstrate their commitment to safeguarding customer data – which can enhance consumer trust and confidence in the online shopping experience.

Subscriptions businesses

For businesses operating on a subscription model, such as Birchbox and Spotify, the continuous request for customers to input their card details for each payment cycle—monthly or annually—is not just a matter of time efficiency; it's predominantly about minimizing inconvenience for their customers. Maintaining security and compliance with PCI regulations is crucial for these businesses. They must ensure that card information is not only saved and secured but also stored in a manner that respects these standards. 

Tokenization plays a pivotal role in this process by replacing sensitive card details with algorithmically generated data strings. However, the adoption of network tokens offers an even greater advantage by providing real-time lifecycle updates. This means the tokens that represent card details are automatically refreshed, significantly reducing the chances of payment declines due to card expiry and diminishing the need for customers to manually update their payment information following a card replacement.

Of course, subscription businesses also need to be able to charge these card details, too – or otherwise risk interruptions to the customer’s service and the resultant lost revenue and customer churn. So tokenization also helps with the card-on-file payment process: generating network tokens to process recurring payments seamlessly while working alongside a credit card account updater service (if the card is not replaced with a network token) to ensure the saved information constitutes the latest, most accurate credit or debit card details. Note that network tokens are being kept up to date via inherent lifecycle updates.

Platform businesses and marketplaces

Unlike a conventional ecommerce transaction between a business and a customer, which usually occurs directly on the business’ website, platforms and marketplaces provide an environment for numerous third-party sellers and customers to transact. With multiple parties involved, and a potentially much higher transaction volume, security and trust are harder to guarantee. Tokenization provides a simple and streamlined way to enhance security at scale, helping to boost the trust and confidence of every party that uses the platform.  

Use cases of payment tokenization

Mobile payments and digital wallets

If you’ve ever received – or made – a payment through your smartphone, you’ve experienced tokenization’s speed- and convenience-related benefits firsthand.

Whether a customer is paying through a digital wallet such as Apple Pay or in-app (or both), tokenization enables these mobile payments to take place faster and more securely. Tokenized transactions don’t, after all, require the same extensive validation and authorization as cardholder data does – so they enable smoother and more seamless mobile payment processing. 

One-click payments

By allowing tokens associated with the customer’s payment method to be securely stored on their device, tokenization enables one-click payments. There’s no need for them to enter their name, their address or even have the physical card on them.

Some of the industries already using one-click payments to great effect include retail ecommerce, as well as the ride-sharing sector. Online marketplaces (Amazon being the most notable example) are also pioneering this tokenization-enabled form of quicker, more convenient payments.

MOTO payments

MOTO (Mail Order/Telephone Order) payments occur, as the name suggests, either over the phone or through mail orders. 

In traditional settings, collecting customers’ credit or debit card details for transactions, especially those conducted over the phone (MOTO), requires manual entry, either verbally or through other direct methods. This initial step often necessitates the cardholder to share sensitive payment information. However, once this credential is securely stored and tokenized after the first transaction, customers indirectly benefit from the tokenization process for subsequent transactions. 

They might not be explicitly aware that their card data has been tokenized, but this system significantly reduces the exposure of sensitive information and lowers the risk of data breaches and PCI non-compliance. Moreover, with the tokenization of these credentials, stored information is automatically updated, ensuring smoother and more secure transactions in the future without repeated manual data entry.

Benefits of tokenization for payments

Payment tokenization has an impressive wealth of benefits for businesses and consumers – so let’s explore them in detail.

Improves security

By tokenizing sensitive card information in digital wallets, customers can pay with saved card details – without having actually to carry their cards on them everywhere they go.

What’s more, the security features in-built into digital wallets dovetail nicely with those tokenization provides. Modern smartphones support different ways of biometric verification – whether that’s facial, fingerprint, or iris recognition technology – which allow users to confirm it’s really them making the transaction.

By authenticating the payment via two factors – possession (something they own) and inherence (a unique physical identifier) – these transactions also satisfy SCA (Strong Customer Authentication) requirements. This adds an even more comprehensive layer of security to the transaction and – as we’ll see below – can even save you money on fees going forward too.

Learn more: Tokenization vs Encryption

Prevents fraud and data breaches

Tokens serve as placeholders for sensitive cardholder information, but their value is contextually bound; outside their designated system, they hold no meaning. This limitation does not imply a universal decryption tool exists—quite the opposite. Tokens are created through an algorithm in real-time, rendering them ineffective for unauthorized use. However, their utility is preserved for recurring transactions involving the same customer at the same merchant, ensuring a seamless and secure exchange.

To mitigate fraud in Card-Not-Present (CNP) transactions, network tokens are being adopted for their enhanced security features. The risk associated with potential data breaches is significantly diminished, as the stolen data becomes essentially valueless.

This means that even if a hacker does manage to breach a system, they’d only gain access to tokens (which, remember, are simply strings of numbers with limited usability), rather than any card details they could actually use.

To learn more about how payment tokenization helps combat fraud, explore our in-depth guide to the topic.

Boosts authorization rates

SCA – which we touched briefly on before – is important, but its requirements can also be stringent. And the more layers of security you add to a transaction – the challenges and step-up authentications you pile on – the more friction you add to the checkout process.

Tokenization, however, is a security process that actually declutters the checkout; decreasing friction and improving rates of transaction success while enabling you to recognize legitimate repeat business from across the different channels you sell through.

Its not just a security measure; it significantly streamlines the checkout process, reducing friction and thereby increasing the success rates of transactions. A key aspect of this improved efficiency is the automated lifecycle updates. These updates ensure that tokenized payment information remains current, which is critical for maintaining high acceptance rates. Additionally, tokenization facilitates the recognition of legitimate repeat customers across the various channels through which you conduct your business, further enhancing the customer experience and operational efficiency.

Visa’s own data supports the link between tokenization and increased authorization rates; it suggests that merchants using network tokens see an authorization rate uplift of around 2%.

Supports PCI DSS compliance

Tokenization helps you achieve PCI DSS compliance by simplifying the process, minimizing the risks, and reducing the scope of cardholder data storage and transmission. Network tokens, for instance, hide the card’s details at every transaction stage. The merchant has only to handle the token.

It’ll mean you spend less time, resources, and energy on jumping through the hoops of PCI compliance and enable both you – and your customer – to transact: safely in the knowledge that their sensitive data is secure.

Learn more: Opportunities presented by PCI DSS 4.0

Reduces false declines

False declines – when a legitimate transaction is mistakenly flagged as fraudulent – are part and parcel of payment processing. That said, they’re also frustrating because they result in lost revenue, irritated customers, and – potentially – bad reviews, too.

Payment tokenization, however, can help. Providing banks and payment processors with more reliable transaction data, can assist these entities in distinguishing between genuine transactions and suspicious ones. Usually, fraud levels are reduced because network tokens are merchant specific, so a well performing merchant and their credentials are kept intact from a merchant that is struggling with fraud

What’s more, with fewer false declines – and a more accurate understanding of fraudulent transactions vis a vis legitimate ones – your own fraud monitoring systems will improve. You can feed all this data into machine learning algorithms that evolve and develop with the information, leading to even more effective fraud detection going forward.

Secures customer payments

If there’s one thing customers love as much as secure payments, it’s seamless ones. So, while payment tokenization’s security benefits are attractive to consumers, so too are the convenience and speed that one-click, MOTO, and card-on-file payments all offer them.

Remember, tokens make payments both safe and convenient – and that’s half the battle.

Enables one-click payments

One-click payments offer customers a fast and frictionless way to complete a purchase. The easier the customer’s payment journey is, the more likely they are to convert, boosting both customer loyalty and your revenue. 

 (Link then to article when published)

Learn more: Problems solved by payment tokenization

How Checkout.com helps with payment tokenization

As a network token provider, Checkout.com can request tokens from your card schemes like Mastercard or Visa on your behalf.

If you opt for our managed service, we take care of all the data, updates, storage, and optimization for you, so you can worry less about security and compliance and focus more on growing your business. Or you could choose to manage your own solution, which means you’ll have full flexibility and ownership of your tokens. 

If you use our Intelligence Acceptance product, you can enjoy all the benefits of network tokens without any additional integration. Intelligent Acceptance adds machine learning and dynamic decisioning to use network tokens where they work the best. It employs network tokens only if they’re supported by the issuer, and, for each transaction, utilizes AI and machine learning to decide whether to use network tokens or PAN credentials based on which offers the best performance and cost benefits. 

Whether you use network tokens as a standalone solution or via Intelligent Acceptance, our data shows that, on average, you’ll see a 3% increase in acceptance with Visa and Mastercard. Speak to a member of our team to find out more about how to use network tokens to lower costs, reduce fraud and boost acceptance with Checkout.com.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
March 28, 2024 18:27
March 28, 2024 18:27