Tokenization
Tokenisation replaces sensitive card data with a unique token — a random value that is worthless to fraudsters but can be used for authorised subsequent transactions.
Tokenization
Tokenisation is a security process in which sensitive card data (card number, expiry date) is replaced by a token — a random sequence of characters with no intrinsic value. The token can be used by the PSP or Comerciante for subsequent transactions without the real card data having to be transmitted again.
In e-commerce, tokenisation enables stored payment methods (one-click payment), recurring payments (subscriptions) and pre-authorised payments — all without storing the real card data. This reduces the PCI DSS compliance effort and minimises the risk in the event of data loss.
Tokenisation is also used in mobile wallets: Apple Pay and Google Pay replace the real card number with a device-specific token. Even if the token is intercepted, it is worthless on any other device.
Tokenization examples
An online shop tokenizes a customer's credit card during the first purchase. For subsequent purchases, the customer pays with a single click — without re-entering the card details.
A SaaS provider uses tokenization for monthly subscription payments. The token is charged every month without the card details being stored.
Apple Pay creates a device-specific token of the stored credit card. The real card number is never transmitted to the Comerciante.
Tokenization FAQ
What is tokenization in payment transactions?
Tokenisation replaces sensitive card data with a random token that is useless to fraudsters. The token can be used for subsequent transactions without the real card data having to be transmitted again.
Is tokenisation secure?
Yes. Even in the event of a data breach, tokens are worthless because they only function within the context of the authorized PSP system. The actual card data remains securely stored in the PSP's token vault.
Do I need tokenization for recurring payments?
Yes, tokenization is the standard for subscriptions and recurring payments. The token is used for each debit without the customer having to re-enter their card details.
What does tokenisation have to do with PCI DSS?
Tokenisation significantly reduces PCI-DSS compliance efforts: If you only store tokens and no actual card data, many of the strict PCI-DSS requirements do not apply.
