TL;DR
Tokenization swaps a card number for a meaningless reference — the real card sits inside a vault run by a PCI Level 1 provider, and your systems only ever touch the token. It's not encryption (there's no math to reverse), and PCI DSS rewards it because tokens aren't cardholder data so the systems holding them fall out of audit scope. The biggest day-to-day impact for US merchants is being able to attest under SAQ A instead of SAQ D.
Last updated: 27 May 2026
Tokenization replaces a card number with a meaningless reference — a token — that has no mathematical relationship to the original. The real card sits inside a separate database called a vault. Your systems store the token. The vault stores the card. If someone breaks into your systems, all they get is a meaningless string.
That's the whole idea in one sentence. The rest is detail — useful detail if you're picking a payment provider, planning a PCI audit, or trying to work out why two vendors quoting tokenization don't quite mean the same thing.
What a token actually looks like#
A real card number is 16 digits, structured. The first six identify the issuer (Visa, Mastercard, Amex), the next nine identify the account, and the last digit is a Luhn check. The number itself carries information, and any system that touches it picks up PCI scope.
A token replaces that number with something like tok_4f7a92b1c3e8d9f0 — or, with format-preserving tokenization, with a 16-digit string that looks like a card number but isn't one. There's no math you can run on the token to recover the original. It's not encryption. It's not a hash. It's a reference. The mapping between the token and the card lives in one place: the vault, run by your payment provider or a dedicated tokenization service.
Tokenization vs encryption — they're not the same#
Encryption is reversible math. Cleartext in, key applied, ciphertext out. Anyone with the key can reverse it. The security depends entirely on keeping the key safe.
Tokenization isn't math. The token has no algorithmic relationship to the card. To go from token back to card, you have to query the vault. If you don't have access to the vault, the token is useless — there's no key to steal because there's no key in the equation.
This matters because the two solve different problems. Encryption protects data while it's moving or while authorized systems still need to read it. Tokenization removes the data from your environment when no system there needs the real value again. Most payment stacks use both — TLS encrypts the card on the way to the gateway, the gateway tokenizes it, and your CRM only ever sees the token. We cover the distinction in detail in tokenization vs encryption.
Building a stored-card flow? Book a 15-minute demo — we'll walk through how tokens flow from capture to recurring charge.
Why PCI DSS rewards tokenization#
PCI DSS scope is defined by the systems that store, process, or transmit cardholder data, plus any system connected to those. If your CRM stores a card number, your CRM is in scope. If your CRM stores a token, and the vault sits with a PCI Level 1 service provider, your CRM isn't in scope — because the token isn't cardholder data.
That's the practical commercial benefit. Scope reduction translates directly into a shorter Self-Assessment Questionnaire (SAQ), fewer systems in your annual assessment, less penetration testing, less internal control evidence. A merchant that tokenizes everything can typically attest under SAQ A instead of SAQ D, which is the difference between a half-day exercise and a multi-week engagement.
The PCI Security Standards Council publishes formal guidance on tokenization — including what makes a tokenization implementation acceptable for scope reduction. Two things matter: the token must have no exploitable mathematical relationship to the PAN, and the vault must be properly protected. Both conditions are met by any reputable payment service provider, but it's worth checking the documentation rather than taking the marketing claim at face value.
PCI DSS Requirement 3 and tokenization specifically
Requirement 3 of PCI DSS — "protect stored account data" — is where tokenization most directly lives. The requirement covers everything about how PAN data has to be rendered unreadable when it's stored: truncation, hashing, one-way encryption, or tokenization. PCI explicitly recognizes tokenization as a valid method, with a supplemental guidance document called "Information Supplement: PCI DSS Tokenization Guidelines" that goes into the architecture and assessment requirements in detail.
The version 4.0 release of PCI DSS (effective 2024) sharpened the tokenization language in a few useful ways. It clarified that tokens which can be reversed back to PAN — by anyone with access to the token, including the merchant — don't reduce scope, because the token effectively still represents cardholder data. Only tokens where the merchant has no path back to the underlying PAN deliver the scope-reduction benefit. That's the line between a token that's a security measure (no path back) and a token that's just a renamed PAN (path back exists).
The other v4.0 sharpening was around the vault itself. Requirement 3.5 now spells out that the system performing the detokenization — typically the payment gateway — has to be assessed as in-scope, and the merchant's connection to the detokenization service has to be assessed too. That's not a meaningful change in practice for most merchants because the gateway is already PCI Level 1 attested, but it formalizes what every QSA was already asking for.
Where US merchants run into tokenization day to day#
If you accept card payments online, you've used tokenization whether or not you've heard the word. Every "save card for next time" checkbox is backed by a token. Every subscription billing run charges a stored token, not a stored card. Every Apple Pay or Google Pay transaction uses a network token issued by the card scheme rather than the merchant's own provider token.
For US merchants, the providers most commonly issuing tokens behind the scenes include the major gateways and acquirers — direct integrations or through a payment service provider. Each provider issues its own tokens. A token from one gateway doesn't work at another, which is one reason switching processors can be painful: you either migrate the token vault or re-tokenize every card.
Network tokens are the partial fix. Visa Token Service and Mastercard Digital Enablement Service issue tokens at the scheme level — they're portable across compatible providers and they update automatically when a card is reissued (lifecycle management, in the jargon). Most modern stored-card flows now use a mix of provider tokens and network tokens, with the provider managing which is which.
Network tokenization vs PSP tokenization — the practical difference#
The two layers of tokenization that show up in modern US payment stacks solve overlapping but different problems, and most stacks end up using both.
PSP tokenization — a token issued by your payment service provider, sometimes called a gateway token or vault token — is the older pattern. The gateway captures the card on first use, stores it in their vault, and hands you back a token. Subsequent charges send the token to the gateway, the gateway looks up the card, and the transaction goes through. The token is specific to that gateway — it can't be sent to a different gateway, and the format is whatever the gateway chose (random string, format-preserving 16-digit, prefixed identifier, all common variants).
Network tokenization is newer. Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) issue tokens at the card-scheme level. The token is bound to the original card but is portable across any acquirer or processor that's certified to accept VTS or MDES tokens. The big advantages are lifecycle management (the network token automatically updates when the card is reissued — no failed renewals when a card expires or gets replaced after a breach) and improved authorization rates (issuers see network tokens as a positive signal and approve them at higher rates than raw PANs).
The trade-off is that network tokens require participation from your acquirer and the card schemes — not every legacy stack supports them yet. Most modern US payment providers have shipped network token support over the last three years, and the migration is usually transparent to the merchant. The provider opts you in, starts sending new card captures through VTS/MDES enrollment, and over time your stored card portfolio shifts from PSP tokens to network tokens.
The American Express token service (XTS) and the Discover Token Service play similar roles for their networks. For most US merchants accepting four-party cards, the network-token layer is now table stakes — pricing rebates on network-token transactions are common, and authorization-rate improvements of 2-5 percentage points are well documented.
What tokenization doesn't protect against#
Tokenization isn't a security silver bullet. It removes card data from your systems — that's its job. It doesn't stop someone phishing your customers, hijacking authenticated sessions, or running a card-not-present fraud scheme using stolen card data from somewhere else. Card-on-file fraud — where an attacker uses a stored token to make purchases without owning the card — is its own threat vector. 3D Secure, behavioral analytics, and proper authentication are what address that side.
And tokenization at the gateway doesn't protect the call leg if you're taking phone payments. The card has to enter the gateway to be tokenized — which means it has to travel from the customer's mouth, through the agent's headset, across the recording platform, and through your call infrastructure. Every system in that path is in PCI scope unless you remove the card data from the audio before it gets there. That's where DTMF masking comes in — and the same principle applies whether you're taking card payments over the phone with a live agent or running an IVR payment flow.
Vault security — the part nobody markets#
The tokenization-as-marketing pitch usually stops at "your card data is replaced with a token." The part that doesn't make it into the sales deck is what happens to the card data inside the vault. The vault is where the real cards live. It's the highest-value target in the entire payment stack — break in there and you have every card from every merchant the provider serves.
Reputable vaults are protected by layers: hardware security modules (HSMs) for key management, strict access control with logging, network segmentation that puts the vault on its own infrastructure with no internet-facing surface, and continuous monitoring. PCI DSS Level 1 attestation is the formal evidence that a provider has the controls in place. Anything less than Level 1 should make you ask hard questions.
You don't generally get to inspect a provider's vault directly. What you can do is ask for their current AOC, check the date (within the last 12 months), and confirm the AOC covers the specific service you're buying — not just "the company" in general. A Level 1 AOC on a corporate website that doesn't name the tokenization service in the scope statement is worth less than it looks.
What's inside a properly architected vault
A vault that's been built right looks roughly the same across all the major providers. At the storage layer, card numbers are encrypted at rest with keys held in an HSM — typically a FIPS 140-2 Level 3 certified module, which is hardware that physically destroys keys if tampered with. The HSM never releases the key in cleartext; cryptographic operations happen inside the HSM and only the result comes back out.
At the access layer, every detokenization call is logged with the calling system, the user identity, the token requested, and the response. Logs go to an immutable store and are reviewed by automated anomaly detection — a sudden spike in detokenization calls from a single CRM integration is a red flag worth investigating. Access is gated by certificate-based mutual TLS, not just an API key, so a leaked API key isn't enough to detokenize on its own.
At the network layer, the vault sits behind multiple firewalls with no direct internet-facing surface. The only way into the vault is via the tokenization service's API gateway, which is itself heavily protected. Most vaults run in private cloud or dedicated infrastructure rather than public-cloud multi-tenant environments, partly for performance and partly to limit blast radius if the public-cloud provider has an incident.
And there's a recovery story. The vault has off-site backups, but those backups are themselves encrypted with separate keys and stored under separate access control. Recovery from a backup requires multi-party authorization — not one admin with one password, but two or three people from different roles confirming the operation. The point is to make catastrophic data loss something that takes coordinated effort to cause, not something a single rogue admin or a single compromised account can do alone.
How Paytia and tokenization fit together#
Paytia's job on a phone call is to keep the card out of your contact center. The customer types their card number on their phone keypad. The tones get intercepted before they reach the agent or the recording. The digits go directly to the gateway over TLS. The gateway tokenizes the card and returns the token to your CRM. The agent never hears the number, the recording never captures it, and your storage system never sees it.
What you store is the token. When you charge that customer again — for a subscription renewal, a deferred shipment, a recurring service fee — the token travels back to the gateway, the vault looks up the card, and the transaction goes through. The card itself stays inside the gateway environment for its entire life with you.
Tokenization is the building block. The masking architecture is what stops the card from being captured before it ever reaches the gateway. The two layers together let merchants attest under SAQ A — the shortest of the SAQ forms, normally reserved for fully outsourced e-commerce — even though they're taking payments over the phone with live agents. That's the same architectural pattern the broader piece on PCI compliance for telephone payments walks through.
Format-preserving vs random tokens#
Two main styles of token show up across US providers. Random tokens look like opaque strings — tok_4f7a92b1c3e8d9f0 or similar — and they're easy to spot in logs and databases as obviously not card numbers. Format-preserving tokens look like 16-digit strings that pass Luhn validation but aren't real cards. They're useful when an existing system expects a 16-digit card-number-shaped value and rejecting non-numeric formats would break the integration.
Both styles satisfy PCI DSS scope-reduction requirements if implemented properly. The choice between them is usually driven by what your downstream systems expect. Modern CRMs and billing platforms accept either. Older line-of-business systems that hardcoded "PAN is 16 digits" assumptions sometimes need format-preserving tokens just to fit through the schema.
One thing format-preserving tokens make easier is the audit conversation: a row in your database with a 16-digit number that looks like a card is exactly the kind of thing a QSA wants to inspect. Document the format clearly, mark token columns as tokens in your schema, and don't assume the auditor will take your word for it without evidence.
Tokenization standards — who governs what
Tokenization is governed by overlapping standards rather than one master spec. The PCI Security Standards Council publishes the high-level requirements that determine whether a tokenization implementation qualifies for scope reduction — that's the "Information Supplement: PCI DSS Tokenization Guidelines" mentioned above. EMVCo publishes the network-token spec (the EMV Payment Tokenisation Specification — Technical Framework), which is what Visa Token Service and Mastercard Digital Enablement Service implement. NIST publishes the underlying cryptographic standards that vaults rely on for key management (FIPS 140-2 / 140-3 for HSMs, SP 800-57 for key management lifecycle).
The practical implication is that no single certificate proves a tokenization implementation is sound across every layer. You want PCI Level 1 attestation for the provider, you want EMVCo certification for network-token participation, and you want HSM-backed key management with FIPS 140-2 Level 3 modules. Any provider missing one of those is taking shortcuts somewhere.
Industry use cases — where tokenization matters most#
Tokenization sits behind almost every recurring or stored-payment use case in modern US commerce. A few where the scope-reduction benefit is most material:
Subscription SaaS. Recurring monthly or annual billing against a stored card. Without tokenization, every SaaS company would be storing PANs and would be under SAQ D at minimum — a multi-month annual assessment. With tokenization through the gateway (typically Stripe, Braintree, or Adyen for the major SaaS stacks), the SaaS company stores tokens, the gateway holds the card, and the SaaS company attests under SAQ A.
Marketplaces and platforms. Companies like Uber, DoorDash, Airbnb store millions of cards on file for fast checkout. The token-vault model is the only architecture that makes this workable — storing PANs at that scale would create a vault that's a target for nation-state attackers. Most platforms now use a combination of PSP tokens (for their primary processor) and network tokens (for portability if they switch processors or add a backup).
Healthcare patient billing. Stored payment methods for ongoing treatment plans, recurring lab fees, or copay arrangements. Combine tokenization with the broader HIPAA payment-processing rules — see our HIPAA-compliant credit card processing piece — and the resulting architecture keeps both PCI and HIPAA boundaries clean.
B2B contract billing. Annual contract renewals charged automatically against a stored corporate card. The token lives in the AR system; the card lives in the gateway vault; the renewal goes through without anyone re-entering details. When the card expires, the network-token layer auto-updates and the renewal still works.
Insurance recurring premiums. Monthly premium auto-debits against stored cards or stored bank details. The same tokenization principle applies to ACH details as well as cards — see our ACH payments for B2B piece for how bank-account tokenization works.
Common mistakes — the ones we see most often#
Storing the last four digits alongside the token in a way that recreates scope. PCI DSS allows you to store the last four digits of the PAN in clear text — that's why you see them on receipts. But if you store the last four next to the BIN (first six digits) and the cardholder name, you've effectively recreated enough information to identify the cardholder, and a QSA may push back on the scope reduction. Store the last four for display purposes only; don't store the BIN alongside it unless you have a specific need.
Assuming tokens are non-sensitive and logging them everywhere. A token isn't a PAN, but it's still a credential — it can be used to charge a card. If a token leaks (from logs, from an exposed S3 bucket, from a compromised CRM integration), the attacker can submit charges against it through your normal payment flow. Tokens should be treated as credentials, not as inert reference data. Don't log them in application logs, don't pass them in URL query parameters, and rotate them when a CRM is decommissioned.
Failing to handle vault-provider switches. When you change payment providers, the new provider can't read the old provider's tokens — they're completely separate. If you have 50,000 stored cards in the old vault, you either negotiate a vault-to-vault migration (the old provider exports the encrypted card data to the new provider under a secure handoff agreement) or you let the old tokens lapse and re-tokenize customers as they come back. Most US merchants underestimate the cost of this; a poorly planned switch can lose 20-40% of stored-card subscribers to friction.
Using "tokenization" loosely to describe one-way hashing. Some legacy systems store a one-way hash of the PAN and call it a token. It isn't, in the PCI sense. A hash is one-way irreversible — you can't get back to the card to charge it again. That's fine for some use cases (fraud screening, duplicate detection) but doesn't enable stored-card flows. If your provider is using "tokenization" to describe a hash, ask what the use case is and whether you can actually charge against the supposed token. Often the answer is no.
Not asking about token portability before signing. If you sign with a provider whose tokens aren't network-token-compatible, you've locked yourself in — leaving means rebuilding your entire stored-card portfolio. Ask up front: does the provider participate in VTS and MDES? What happens to your tokens if you terminate the contract? Get the answer in writing, not as a sales-call assurance.
The token lifecycle — from capture to retirement#
Most discussion of tokenization stops at the capture step. The full lifecycle is longer and worth knowing about because the operational issues mostly show up later, not at first use.
Capture. The card enters the gateway, gets validated against the issuer, and a token is generated. The token is returned to the merchant and stored against the customer record. At this point, the card is in the vault, the token is in the CRM, and the two are linked inside the gateway's mapping table.
Active use. The merchant submits charges against the token. The gateway looks up the card, sends the authorization request to the issuer through the network, and returns the result. The token doesn't change. It can be charged any number of times until something else triggers a change.
Card reissue. The customer's bank reissues the card — new number, new expiry, sometimes new CVV — because the old one expired, was reported lost, or got caught in a breach replacement run. If the merchant is using PSP tokens only, the old token still points to the old card, which is now invalid. The next charge fails with a "card not found" or "invalid account" decline. The customer has to be contacted to provide the new card details.
If the merchant is using network tokens (VTS, MDES), the network updates the token mapping automatically when the issuer notifies the network of the reissue. The next charge succeeds against the new card without any merchant or customer action. This is the single biggest operational reason to use network tokens — the alternative is a wave of failed renewals every time a card scheme runs a breach replacement.
Voluntary card change. The customer decides to use a different card for the subscription. The merchant captures the new card, gets a new token, and updates the customer record. The old token can be left in place (unused) or explicitly deleted from the vault. Most providers charge a small storage fee per token per month, so explicit deletion saves a small amount over time.
Account closure. The customer cancels the subscription or closes their account. Best practice is to send an explicit delete request to the gateway for the stored token, which removes the card from the vault. Leaving deleted-customer tokens in the vault indefinitely accumulates technical debt and increases your data-retention exposure under privacy laws (GDPR, CCPA, the broader state privacy patchwork).
Provider switch. The merchant moves to a different payment provider. The old tokens become useless because they're specific to the old provider. The path forward is either a vault-to-vault migration (negotiated between old and new provider, typically with the merchant's acquirer or processor signing off on the data-handling agreement) or a gradual re-tokenization as customers re-engage. Plan this in advance — a poorly handled switch can lose substantial recurring revenue to friction.
Tokenization beyond cards — bank accounts, identity, anything sensitive#
The architectural pattern — replace sensitive data with a meaningless reference, keep the real data in a controlled vault — works for any kind of high-sensitivity identifier. Most US merchants encounter it first with cards, but the same approach now shows up across several other domains.
Bank account tokenization. ACH details (routing and account numbers) get tokenized at modern ACH processors the same way cards do at card gateways. The merchant stores the token, the processor holds the real account number in a vault, and recurring debits charge against the token. There's no PCI-equivalent regulatory regime forcing this, but the practical security benefit is the same — your CRM doesn't end up as the target for an attacker who wants bulk bank details. Our piece on ACH payments for B2B covers this in more detail.
Identity tokenization. Some KYC and identity providers issue tokens against verified identity records — the merchant stores a token, the identity provider holds the underlying SSN, date of birth, or government-ID number. The merchant can check "is this customer verified" by passing the token without ever holding the underlying identifier. Useful in regulated verticals (financial services, telecoms, regulated marketplaces) where holding raw SSNs would create a target.
Healthcare record tokenization. Some HIPAA-adjacent platforms tokenize patient identifiers to allow analytics and reporting without exposing the underlying PHI. The token is meaningless outside the vault, so a leaked analytics dataset doesn't expose patient identities directly.
The pattern is the same in every case: separate the high-sensitivity data from the systems that don't need it, and give those systems a meaningless reference instead.
What to ask a provider about tokenization#
Three questions usually surface the real answer. First, is the vault inside a PCI DSS Level 1 environment, and can the provider produce a current AOC (Attestation of Compliance)? If they can't, the scope-reduction argument doesn't hold. Second, are the tokens portable — network tokens — or proprietary to that provider? Proprietary tokens lock you in. Third, what happens to existing tokens if a card is reissued after a breach or expiry? Network tokens update automatically; provider tokens often don't, which means a wave of failed renewals every time a card scheme reissues numbers.
None of these are dealbreakers on their own. They're the questions that separate a provider with a real tokenization practice from one that ticks the box and moves on. Ask them on the first sales call, get the answers in writing before signing the contract, and verify against the provider's published AOC rather than relying on whatever the sales rep tells you over the phone.
Frequently asked questions#
If my CRM only stores tokens, is it really out of PCI scope?
Yes — provided the tokens have no exploitable mathematical relationship to the underlying PAN and the vault is properly secured by your provider. That's the architectural condition PCI DSS Requirement 3 spells out. In practice, a QSA will still ask to see how the tokens are stored, how detokenization calls are made, and where the connection from your CRM to the gateway sits. The connection itself may pick up some scope (it's part of how PAN data flows back into your environment for charges), but the CRM database holding only tokens stays out of scope.
Can I tokenize cards I've already stored without re-collecting from customers?
Sometimes. If your existing card store is at a Level 1 PCI environment and your new provider can ingest the encrypted card data via a secure vault-to-vault migration, yes — you can convert in bulk without customer involvement. If your existing store is in your own systems, you'll typically need to encrypt and securely transfer the cards to your new provider, which they'll then tokenize. Some providers offer a "silent re-tokenization" service that handles this. Get a written agreement about how the migrated data will be handled and destroyed at the old provider.
Are network tokens always better than provider tokens?
For most modern stored-card use cases, yes — better authorization rates, automatic lifecycle updates, and portability across providers. The exception is high-velocity one-off transactions where network token enrollment adds latency at first use; some providers handle this by tokenizing at the PSP level immediately and back-filling the network token asynchronously. For 99% of US merchants, the right answer is to use network tokens wherever the provider supports them.
What does "format-preserving" actually mean in practice?
The token has the same shape as a card number — 16 digits, passes Luhn validation, looks like a PAN in a database — but isn't a real card. The format-preservation is purely about fitting through legacy systems that expect PAN-shaped data. It doesn't change the security profile compared to a random-string token; both are equally meaningless without the vault. Format-preserving tokens trip up some QSAs initially because they look like PANs in logs and reports; clear schema documentation usually settles that.
What happens to my tokens if the payment provider goes out of business?
This is the right question and most merchants don't ask it. The PCI Council requires Level 1 providers to have business-continuity arrangements, but "business continuity" doesn't always extend to graceful wind-down. In a wind-down scenario you typically have 30-90 days to migrate your tokens to another provider before the vault is decommissioned. Plan for it in advance — keep your customer card-on-file records reconciled, have a backup provider relationship in place, and read the wind-down clauses in your contract before signing.
Are stored tokens covered by data breach disclosure laws?
State-by-state, the answer varies. Most state breach laws define "personal information" in a way that includes PANs but excludes meaningless tokens — so a breach exposing only tokens typically doesn't trigger disclosure. But if the breach exposes tokens plus enough other context to identify the cardholder (last four, name, address), the analysis is closer to a PAN exposure. Talk to your privacy counsel about your specific state mix; this isn't a one-size answer.
Do tokenization fees show up separately on my processing statement?
It depends on the provider. Some bundle tokenization into the per-transaction fee. Some charge a separate per-token storage fee (typically fractions of a cent per stored token per month). Network token transactions sometimes carry small rebates because issuers approve them more readily. Read the fee schedule rather than assuming — total cost of ownership can vary by 10-20% depending on how the provider structures it.
Related reading#
- PCI Compliance for Telephone Payments
- What Is an IVR Payment?
- ACH Payments for B2B
- HIPAA-Compliant Credit Card Processing
- Take Card Payments Over the Phone
Building a stored-card flow? Book a 15-minute demo — we'll walk through how tokens flow from capture to recurring charge.
