Tokenisation
What Is Tokenisation in Payments? Definition and How It Works
Definition
Tokenisation in payments is the process of replacing a payment card number with a unique, non-sensitive token that can be used to reference the original card data without exposing it, reducing PCI scope and enabling secure recurring transactions.
How it works
Tokenisation works by substituting a card's primary account number (PAN) with a surrogate value, the token, that has no exploitable relationship to the underlying card data. The token is generated by the tokenisation system and stored in a token vault alongside the encrypted original PAN. When a subsequent transaction needs to be processed, the merchant presents the token; the vault retrieves and decrypts the PAN and passes it to the acquirer.
There are two main categories of payment token. Gateway tokens are generated and managed by a payment provider or processor, they are specific to that provider and cannot be used elsewhere. Network tokens are issued directly by card networks (Visa Token Service, Mastercard Digital Enablement Service) and are scheme-level credentials that follow the card rather than the provider relationship.
Tokenisation serves two distinct purposes in payment infrastructure. First, it removes card data from the merchant's environment. If the merchant never stores or processes the raw PAN, their PCI DSS scope is dramatically reduced. Second, it enables stored credentials, the merchant retains a token they can charge against in future without asking the cardholder to re-enter their details, which is the foundation of subscription billing and one-click checkout.
The token itself is useless to an attacker who intercepts it without access to the vault. This is the security property that makes tokenisation effective for reducing breach impact.
Why it matters
PCI scope reduction is the primary compliance benefit: merchants that tokenize at the point of capture and never store raw PANs can remove large portions of their infrastructure from PCI scope, reducing audit complexity and the blast radius of a data breach.
Token portability determines switching cost: gateway tokens are provider-specific. If a merchant switches payment provider and cannot migrate their token vault, they lose stored card relationships with all existing customers, forcing cardholders to re-enter their details. This is a significant lock-in mechanism.
Network tokens outperform gateway tokens on approval rates: because network tokens are issued by the card network and updated automatically when cards are reissued or replaced, they have higher approval rates on stored-credential transactions than gateway tokens backed by potentially stale PAN data.
Tokenisation is foundational for subscription and marketplace models: any merchant charging stored cards on a recurring basis, subscriptions, marketplaces, platforms, requires a reliable token vault. The quality of that vault directly affects recurring authorisation rates.
With PXP
PXP operates a Token Vault supporting both gateway tokens and network tokens across acquirer connections. PXP's tokenisation eliminates PAN storage from the merchant environment and provides automatic credential updates to maintain stored card relationships. Merchants migrating to PXP can request token migration support.
Frequently asked questions
What's the difference between a gateway token and a network token?
A gateway token is generated by a payment provider and is only usable within that provider's system. A network token is issued by the card network (Visa or Mastercard) and is a scheme-level credential tied to the card, not the provider. Network tokens update automatically when cards are reissued and typically achieve higher approval rates on stored-credential transactions.
Does tokenisation eliminate all PCI requirements?
No. Tokenisation reduces PCI scope by removing raw card data from the merchant's environment, but it does not eliminate PCI obligations entirely. Merchants still need to assess their remaining in-scope systems and maintain SAQ or QSA compliance for any components involved in payment processing, even if card data itself is held only in the token vault.
How does tokenisation affect approval rates on recurring transactions?
Gateway tokens backed by stale card data produce declines when the underlying card has been reissued or replaced. Network tokens solve this because the card network updates them automatically when a new card is issued to the cardholder. Merchants using network tokens on recurring transactions typically see materially lower decline rates from expired or replaced cards.
Can tokens be migrated when switching payment providers?
It depends on the token type and the provider. Gateway tokens are provider-specific and are not portable by default, switching providers without a migration agreement means losing stored card relationships. Network tokens are more portable since they are scheme credentials, but practical migration still requires coordination between the old and new provider and the card networks.
Revolutionize your business with PXP
Take complete control of your commerce and payments with one platform.
Get Started