This guide provides a technical and practical look at how tokenisation works within modern payment systems. We cover the differences between tokens and primary account numbers, the role of network providers, and the impact on security and compliance.
Digital payment volumes continue to climb as consumers move away from physical cash and towards mobile-first solutions. This growth brings intense security pressure for businesses that must handle sensitive card data while facing sophisticated fraud attempts. Protecting this information has become a fundamental requirement for staying operational. Payment tokenisation provides a robust answer by swapping vulnerable card details for secure alternatives, allowing for safer transactions without extra risk.
What is payment tokenisation?
Payment tokenisation replaces sensitive card data with a non-sensitive token that cannot be used outside a defined context.
At its core, this process removes the primary account number (PAN) from the transaction environment. Instead of a merchant storing a sixteen-digit card number, they store a randomly generated string of characters known as a token. This token acts as a placeholder. If a database is ever accessed by an unauthorised party, the stolen tokens are useless to them. They have no value on their own and cannot be used to make purchases elsewhere.
Think of it like a cloakroom ticket. When you leave your coat at a theatre, the attendant gives you a small slip of paper with a number on it. That ticket is not your coat, and it has no value to anyone else. However, within that specific theatre, that ticket is the only thing that can retrieve your garment. In payments, the token is that ticket, and the card details are the coat safely locked away in a secure vault.
How does payment tokenisation work?
The process moves card data through a secure vault where it is swapped for a token that the merchant then uses for future transactions.
The flow begins when a customer enters their card details at the point of sale. Instead of these details staying on the merchant’s server, they are sent directly to a payment service provider (PSP) or a dedicated token vault. The vault stores the original data and generates a unique token in its place. This token is sent back to the merchant for their records. For any recurring billing or one-click purchases, the merchant only ever sends the token to the PSP, who then matches it back to the real card for processing.
| Transaction stage | Non-tokenised flow | Tokenised flow |
| Data entry | Cardholder enters PAN | Cardholder enters PAN |
| Data storage | Merchant stores encrypted PAN | Merchant stores non-sensitive token |
| Recurring billing | Merchant sends PAN to processor | Merchant sends token to processor |
| Data breach risk | High: PAN is exposed | Low: Token is useless to hackers |
| PCI compliance | Broad scope, high cost | Narrow scope, lower cost |
Why is tokenisation used in payments?
It is used to protect sensitive data from breaches, simplify regulatory compliance, and improve the overall security of the payments sector.
Fraud remains a significant problem for the UK economy. According to the UK Finance Half Year Fraud Report 2025, card-not-present fraud cases rose 22% in the first half of 2025 alone, with card fraud losses reaching £299 million in just six months — highlighting the need for better data protection at the point of storage.
Paul Munson, UK CCO and MLRO at Wallester, notes that an investigative mindset is essential for staying ahead of these figures. He points out that fraud accounts for roughly40% of all reported crime in the UK. By hardening the payment infrastructure through tokenisation, businesses make the harvesting of card data unprofitable. This forces criminals away from automated database exploits and into more difficult, manual social engineering methods.
Lowering the administrative burden of PCI DSS compliance is another major driver. When a business does not store or process raw card data, the number of security controls they must satisfy drops. This makes the audit process faster and cheaper. Furthermore, it creates a better experience for the customer. Since their real card details are not sitting in multiple merchant databases, the risk of their card being skimmed or stolen digitally is greatly lowered.
Q&A: Can tokenisation prevent fraud completely?
No. While it makes card data theft much more difficult, it does not stop all types of fraud. Criminals might still use social engineering or account takeover methods to make purchases. It protects the data at rest but cannot account for the actions of a compromised user.
Further Reading: Tokenisation: How Virtual Cards Protect Payment Data
Is tokenisation the same as encryption?
No, encryption hides data using a mathematical key that can be reversed, while tokenisation replaces data with a placeholder that has no mathematical link to the original.
Encryption uses an algorithm to scramble information into ciphertext. Anyone with the correct key can turn that ciphertext back into the original data. This is useful for sending data across the internet safely. Tokenisation, however, does not use a key to unlock the original number. The relationship between the token and the PAN is stored in a secure database (the vault). There is no way to work out the card number just by looking at the token.
| Feature | Encryption | Tokenisation |
| Underlying logic | Mathematical algorithm | Database mapping |
| Reversibility | Reversible with a key | Only reversible via the vault |
| Data format | Often changes format | Can keep the same format |
| Security focus | Data in transit | Data at rest |
| PCI impact | Data is still in scope | Removes data from scope |
Where is payment tokenisation used today?
It is the foundation for mobile wallets like Apple Pay and Google Pay, as well as e-commerce subscriptions and card-on-file services.
When you add a card to Apple Pay or Google Pay, the wallet provider does not store your actual card number on your phone. Instead, they request a token (often called a Device Account Number) from the bank. When you pay at a shop, your phone sends this token. Even if someone intercepts the signal, they cannot find your real card details.
E-commerce sites also use this for subscription billing. When you sign up for a streaming service, they keep a token on file. This allows them to charge you every month without ever holding your sensitive details. This also applies to one-click checkouts on major retail platforms. The convenience of not entering your card every time is made possible by secure token storage.
What is network tokenisation and how is it different?
Network tokenisation is provided directly by card networks like Visa and Mastercard, offering a more permanent and smarter alternative to standard PSP tokens.
Standard tokens are usually specific to one payment processor. If you move your business to a different processor, those tokens often become useless. Network tokens, issued by Visa or Mastercard, stay valid across the entire payment ecosystem. They also have lifecycle management features. If a customer’s card expires or is lost, the network can automatically update the token with the new card details.
This means the merchant does not have to ask the customer to update their card information manually. It leads to fewer declined transactions and a smoother experience. Issuing banks grant higher approval rates for these tokens, as data coming directly from the source carries a much higher trust level than standard entries.
Q&A: Do network tokens expire?
Usually, they stay active as long as the underlying card account is open. If the physical card is replaced due to expiry, the token is updated in the background, making it far more persistent than a standard merchant-level token.
What are the limitations of payment tokenisation?
The main drawbacks include a heavy dependency on the token vault provider and the potential complexity of integrating the system with existing hardware.
If a merchant relies on a specific PSP for their tokens, they might find themselves locked in to that provider. Moving thousands of stored tokens to a new service is a difficult technical task. There is also the matter of cost. While tokenisation saves money on compliance and fraud, providers often charge a small fee per token or per transaction for the service.
There are also some interoperability issues. A token generated for an online transaction might not work if the customer tries to use it for an in-person return at a physical shop. These technical hurdles require careful planning during the implementation phase to make sure the customer journey remains fluid.
How do businesses implement tokenisation?
Implementation is usually handled through a payment service provider’s API or by using hardware-level integration for physical stores.
Most modern businesses do not build their own token vaults because the security requirements are too high. Instead, they use a partner that is already PCI-certified. The process involves a few key steps:
- Selecting a provider that supports both merchant and network tokens.
- Integrating the provider’s API into the checkout flow to capture data.
- Replacing any existing card-on-file data with secure tokens.
- Setting up a system to handle token updates from the card networks.
- Updating internal databases to store tokens instead of PANs.
- Testing the flow to guarantee that tokens are correctly mapped to customer IDs.
How Wallester supports tokenised payments
Wallester provides the technical infrastructure required for businesses to issue and manage cards that are fully compatible with modern tokenisation standards. The platform is built for companies that need virtual cards for internal spending, media buying, or customer-facing fintech products. By using an API-first approach, they allow for the quick creation of cards that work with major mobile wallets.
The system is designed to handle the complexities of token issuance and lifecycle management without the merchant needing to manage a secure vault themselves. This makes it easier for SaaS providers and fintech founders to launch card programmes that are secure by design. Teams working with high transaction volumes often look for ways to handle card data without storing it directly. Solutions like Wallester provide that layer.
