Tokenization
Tokenisation replaces sensitive card data with a unique token — a random value that is worthless to fraudsters but can be used for authorised subsequent transactions.
Tokenization
Tokenisation is a security process in which sensitive card data (card number, expiry date) is replaced by a token — a random sequence of characters with no intrinsic value. The token can be used by the PSP or merchant for subsequent transactions without the real card data having to be transmitted again.
In e-commerce, tokenisation enables saved payment methods (one-click payment), recurring payments (subscriptions) and pre-authorised payments — all without storing the real card data. This reduces PCI DSS compliance efforts and minimises the risk in the event of data loss.
Tokenisation is also used in mobile wallets: Apple Pay and Google Pay replace the real card number with a device-specific token. Even if the token is intercepted, it is worthless on another device.
Tokenisation Examples
An online shop tokenises a customer's credit card during the first purchase. For subsequent purchases, the customer pays with a single click — without re-entering card details.
A SaaS provider uses tokenisation for monthly subscription payments. The token is charged every month without the card data being stored.
Apple Pay creates a device-specific token of the stored credit card. The real card number is never transmitted to the merchant.
Tokenisation FAQ
What is tokenisation in payment processing?
Tokenisation replaces sensitive card data with a random token that is worthless to fraudsters. The token can be used for subsequent transactions without having to transmit the real card data again.
Is tokenisation secure?
Yes. Even in the event of a data leak, tokens are worthless because they only function within the context of the authorised PSP system. The actual card data remains securely stored in the PSP's token vault.
Do you need tokenisation for recurring payments?
Yes, tokenisation is the standard for subscriptions and recurring payments. The token is used for each debit without the customer having to enter their card details again.
What does tokenisation have to do with PCI DSS?
Tokenisation significantly reduces PCI DSS compliance efforts: If you only store tokens and no actual card data, many of the strict PCI DSS requirements are eliminated.
