Tokenization
What Is Card Tokenization?
Tokenization is the process of replacing the real payment card number (PAN) with a unique, random, and irreversible identifier called a token. This token travels through the payment network instead of the sensitive data, ensuring that the merchant never stores or transmits the original number. If an attacker intercepts the token, they obtain a value that is useless outside its issuance context.
In the European payments ecosystem, tokenization is not just a technical improvement: it is a direct lever for security, regulatory compliance, and ecommerce conversion.
How Tokenization Works
The flow of a tokenized transaction unfolds in four phases:
- Provisioning: the cardholder registers their card in a digital wallet or merchant account. The system requests a token from the Token Service Provider (TSP), which may be the card network itself or a certified processor.
- Token generation: the TSP stores the PAN in a secure encrypted vault and returns a token linked to a specific usage domain (that merchant, that wallet, or that device). The token cannot be reversed to obtain the original PAN.
- Authorization: the merchant sends the token to the network, which internally replaces it with the real PAN and forwards it to the issuer. For network tokens (Visa Token Service or Mastercard MDES), each transaction includes a dynamic cryptogram that validates the authenticity of the operation.
- Response: the issuer approves or declines the transaction. The network re‑tokenizes the PAN before returning the response to the merchant, who never sees the real data.
The key difference between network tokens and traditional vault tokenization lies in the signals received by the issuer. Network tokens provide cryptograms and domain controls that increase trust and improve authorization rates.
Regulatory Impact and Security Requirements for Tokenization
Tokenization operates within a specific European regulatory framework.
PCI DSS v4.0 states in its Requirement 3.5.1 that stored PAN must be rendered unreadable through strong encryption, truncation, hashing, or tokenization. By implementing tokens, merchants reduce the scope of their Cardholder Data Environment (CDE), simplify audits, and lower certification costs.
According to PCI DSS v4.0, tokenization reduces CDE scope but does not eliminate compliance obligations. Merchants remain responsible for access controls, vendor management, and PCI scope documentation at least every 12 months.
The PSD2 Directive, transposed in Spain through Royal Decree-Law 19/2018, requires Strong Customer Authentication (SCA) for electronic payments. Tokenization complements SCA: issuers receiving tokenized transactions with cryptograms can apply low‑risk exemptions with greater confidence, reducing checkout friction without compromising security.
In 2021, EMVCo published the EMV 3DS Payment Token Message Extension, enabling token data to be included in 3‑D Secure authentication requests. Issuers make more accurate risk decisions, reduce unnecessary authentication challenges, and improve the buyer experience.
Operational Advantages and Disadvantages of Tokens
| Aspect | Network Token (VTS/MDES) | Traditional Tokenization (Vault) |
|---|---|---|
| Security | Dynamic cryptogram per transaction, validated by the network | Protects PAN in storage, without additional cryptographic signals |
| Approval rates | Measurable improvement due to issuer trust signals | No differential impact on authorization |
| Lifecycle | Automatic updates if the card expires or is reissued | Requires PAN recapture or manual remapping |
| PCI DSS scope | Reduces PAN exposure and narrows the CDE | Also reduces exposure, but depends on the vault perimeter |
| Portability | Tokens remain active regardless of the processor | Tokens belong to the provider, making migration difficult |
For E-commerce businesses with recurring payments or stored cards, network tokens offer a clear operational advantage: silent updates after card reissuance prevent declines in subscriptions and recurring charges, a problem that directly impacts revenue.
Was this term useful?
Leave a Comment