Tokenization and PCI (Payment Card Industry)

Published: 31 August 2020

Reading time: 4 minutes

The concept of a token has been used in the digital world for almost 50 years. The reason is to separate and protect real data from breaches. Recently, the concept of tokenization has been used as a security mechanism for protecting sensitive data. Tokenization is an excellent data security strategy that, because it reduces the risk of data exposure while allowing enterprises to keep existing processes in place.

Across industries, enterprises are accumulating and transmitting more sensitive information than ever before, increasing the potential for attack by cybercriminals seeking to monetize private data. The availability of secondary markets for this data makes personally identifiable information, payment card numbers and medical records particularly vulnerable. Tokenization is ideal for protecting sensitive data in banking applications and is used for credit card processing, bank accounts, loan applications, and financial statements.

In response, organizations have turned to tokenization to reduce the risk of data exposure. Tokenization substitutes a real value with a random token that maintains the same format and type as the original data. This allows existing applications and databases to recognize and process the token in the same way as the original information. For example, as a customer service representative adds to a customer’s record, specific fields can be immediately tokenized so they are safeguarded against unauthorized access. Depending on the architecture, the real values are encrypted and stored in a separate vault or, using a vaultless approach, the token is generated via an algorithm, thus obviating the need to store the actual information.

When a customer uses credit card, it goes through five steps until the payment process is completed.

  • A credit card is swiped in a POS machine or entered into an ecommerce site.
  • The POS machine (or ecommerce site) passes the PAN to the credit card tokenization system.
  • The tokenization system generates a string of random characters to replace the PAN or retrieves the associated token (if it has already been created) and records the correlation in the data vault.
  • The tokenization system returns the token to the POS terminal (or ecommerce site) and is used to represent the customer’s credit card in the system.
  • If the business is using a payment processor’s tokenization solution, the token is sent to the payment processor, who, using the same tokenization technology, can de-tokenize and view the original credit card number and process payment. If the organization is using a third-party tokenization solution, the token is sent to the third-party, who then de-tokenizes it and sends it along to the payment processor for credit card processing.

The best part of a correctly implemented tokenization system is that merchants never see customer credit card information. They only see tokens, which are essentially useless strings of information. However, not many companies use tokenization. It is possible that many believe it is the same as encryption.

How Does Tokenization differ from Encryption? Encryption and tokenization are effective ways to protect data. Ideally, both should be used in security solutions designed to protect data. However, while both methods are capable of protecting data, the way that they do it differs in the processes of how each accomplishes that work.

The most important difference between encryption and tokenization is that the latter can take a non-mathematical approach to replacing sensitive data with a non-sensitive substitute that does not alter the original type or length of the data being protected. Meanwhile, encryption works by making changes in the type and length of data that renders that information as unreadable in databases and other intermediate systems.

Compared to encryption, tokenization generally consumes much less computational resources during processing. This is because some data is kept completely or partially visible for processing and analytic purposes. Meanwhile, the sensitive information that is being protected remains hidden. This allows data that is tokenized to be quickly processed while the strain on system resources is reduced. Tokenization can be advantageous when used on systems that rely on speed and high performance.

Tokenization solution reduces merchant exposure to card data compromise and its effect on a merchant’s reputation. It also provides a secure, cost-effective way to keep sensitive card details away from a merchant’s system.

Please contact our team of experts for more info about tokenization –


Kontaktirajte naš tim stručnjaka za više informacija o tokenizaciji –

To make this website run properly and to improve your experience, we use cookies. For more detailed information, please check our Cookie Policy.

  • Necessary cookies enable core functionality. The website cannot function properly without these cookies, and can only be disabled by changing your browser preferences.