What is tokenisation in payments?

null
Matthew Blenkarn, Content Marketing Manager
11 Nov 2022
Hand holding a bank card with liquid texture behind it

Tokenisation plays a crucial role in card and mobile wallet payments. By replacing a customer’s card number with a randomly generated alpha-numerical code, it protects customers from fraud and data breaches. As a result, it’s become an effective way to make payments more secure and reduce the Payment Card Industry Data Security Standard (PCI DSS) burden for merchants.

But what is tokenisation? What benefits does it offer, and what are the alternatives? In this blog post, we’ll walk through the basics on tokenisation and show how it relates to card and mobile wallet payments.


What is tokenisation?

Tokenisation is a way to safeguard sensitive information. In payments, this involves the use of an algorithm to create a “token,” a random string of numbers that stands in for the customer’s account number.

As a result, tokenisation allows businesses to initiate payments in a secure way. For example, when processing transactions such as recurring payments, merchants need to store customer details securely to use again in the future. While this information is encrypted, hackers can still reverse that process, leaving customers vulnerable to fraud.

Tokenised payments offer an added layer of security. Since tokens have no assigned value, they are completely unrelated to a customer’s details. They also don’t refer back to sensitive information and cannot be reversed, allowing them to be stored or transferred with minimal risk.

What is a token?

A token is a unique substitute for sensitive data, in this case a card number. It takes the form of an algorithmically generated string of numbers. Since tokens are irreversible and don’t refer back to original account numbers, they allow merchants to store sensitive details securely.

Tokens play a major role in several types of online payments such as card-on-file and subscription transactions. Mobile wallets also use tokens to facilitate card payments. Rather than referring back to card or account details, wallet providers will request tokens from their payment providers (acquirers, gateways and/or orchestration platforms) or separate specialised token technology providers. The token can then be used to initiate payments from the cards stored in the mobile wallet.

Why is tokenisation important?

Tokenisation is important because it lets businesses use and transfer customer information in a safer way. When it comes to ecommerce, security remains a major concern for both merchants and customers: payment card fraud cost consumers ÂŁ524 million in 2021, with card-not-present fraud accounting for about 78% of those losses.

Unfortunately, recurring payments such as card-on-file transactions require merchants to store customer details to initiate payments. This leaves them vulnerable to data breaches, as hackers can retrieve sensitive information even in an encrypted state. 

By storing tokens instead of customer data, companies can initiate payments without having to store or transfer customer data itself, decreasing the risk that sensitive details get stolen. For example, Visa reports that tokenised payments reduced fraud by 26% over a three-month period compared to payments that used card numbers. 

How does tokenisation work?

The tokenisation process varies depending on the payment method used. Generally, it begins when a customer enters their payment details on the merchant’s payment pages. From there, it proceeds as follows:

  1. In most cases, the information goes to a payment gateway or a specialised independent token service provider (TSP). In recent years, card schemes have started providing tokenisation services as well, which are then labelled “network tokens”.

  2. If the merchant uses their gateway’s own token service, they generate a token and store the customer’s sensitive information in a token vault. At the same time, the payment gateway transmits the raw card data to the merchant’s acquirer (if it’s a separate entity), which then passes it on to the respective card scheme.

  3. The transaction then goes to the customer’s issuing bank, which approves or declines the request depending on a variety of different factors, including but not limited to whether the account has sufficient funds, the card is still valid, was sent through the correct strong customer authentication (SCA) flow and more.

  4. Once authorised, the approval goes back down the chain and the response is returned to the merchant together with the originally created token (instead of the raw card data) The reason the gateway, acquirer, schemes and issuers can share raw card data between them is that they all have to abide by PCI standards.

For any subsequent transactions, whether it’s for a consumer-initiated one-click payments or a merchant-initiated recurring payment, all the merchant needs to do is send the token to their provider again to trigger the same chain of events.

What’s the difference between tokenisation and encryption?

The difference between tokenisation and encryption largely comes down to each method’s approach to customer data. 

Encryption is an end-to-end encoding process: a sender uses an algorithm to convert an account number into a new form called a ciphertext. The sender then transmits that data along with an encryption key to a receiver, who uses the key to decrypt the information. 

While this process is effective at protecting information, it is still reversible. Anyone with access to the encryption algorithm can decode the data and return it to its original state. 

Tokenisation replaces sensitive information with randomly generated numbers or letters. Unlike encryption, this method is essentially unreadable. It has no relation to the customer’s card number and cannot be decoded with a key or an algorithm. As a result, it provides an extra degree of security in data storage or transfer.

What are the benefits of tokenisation?

Tokenisation offers a range of business benefits, from streamlining compliance operations to increasing customer trust and more.

One of tokenisation’s biggest benefits, as described above, is that it lets companies avoid the difficult process of obtaining Payment Card Industry (PCI) accreditation. When organisations accept card payments, they must adhere to the Data Security Standards (PCI DSS), a set of regulations around data storage issued by the major card schemes. 

With tokenisation, businesses can let their payment provider handle card details by simply referring them to a token when needed. The provider then assumes responsibility for meeting these standards, reducing the burden on the company itself.

Companies can also use tokenisation to reassure their customers that their payment processes are safe. The added security of tokenised payments ensures that consumers are less likely to fall victim to fraud. By protecting their customers’ details, businesses can generate loyalty from their customer base.

What are the alternatives to tokenisation?

While payment tokenisation can help increase the security of card transactions, it still has its drawbacks. 

Although it may protect customer data, tokenisation fails to address payment cards’ other drawbacks. It doesn’t alleviate slow settlement speeds for smaller merchants, nor variable success rates depending on the merchant’s vertical and their issuer’s risk appetite. It’s still vulnerable to expired cards and lost and stolen details. And it can even add to already high merchant costs.

Open banking solves for these issues, allowing customers to make data-rich payments directly from their bank accounts without sharing payment details. This eliminates the need to replace card details in the event of loss, theft or expiry. Not only are open banking payments secure, but also fast, reliable and cost effective.

Open banking payments don’t require customers to share credentials and they have strong customer authentication baked in, preventing fraud and chargebacks. Transactions settle immediately when instant payment rails are available, and failure rates are less than 5%. Open banking payments also lack the multitude of fees associated with card processing, offering companies a more efficient and economical way to do business.

Visit our payments page to learn more about the benefits of open banking

Insights straight to your inbox
Join 10,000+ subscribers getting the latest open banking news.
Latest
Pay by bank phone
12 Jun 2025

Pay by Bank protections: a modern approach

15 million users milestone
10 Jun 2025

TrueLayer hits new industry milestone, surpassing 15 million consumers

Hey, I'm Andy from TrueLayer, and I'm going to try and tell you everything you need to know about Pay by Bank—in just ninety seconds.  Let’s start the clock.  Let’s keep it simple. What is Pay by Bank? It’s a payment method that lets you pay directly from your bank account via your banking app—with zero need for card networks.  That could mean buying pizza, paying for flights, or just about anything in between. And it’s actually pretty easy—and very quick.  It looks a bit like this: start by tapping the Pay by Bank button, then choose your bank from the list.  If you’ve used it before, we can even preselect your preferred bank. You then review the payment, and you’re seamlessly redirected to your bank app to approve it using secure biometrics.  That’s Face ID or a fingerprint, to you and me. And that’s it—success. But no time to relax—we're on the clock!  Now, this might be the first time you’re hearing about it, but every month in the UK, 27 million payments are made using Pay by Bank. And most people who haven’t tried it yet say they’d be happy to—if given the option. On the merchant side, nine out of ten businesses are already planning to adopt it in one way or another.  So what’s in it for businesses?  Number one: more potential sales. No cards means no long card numbers, no clunky 3DS2—just a smoother experience from start to finish. And it converts.  Number two: because payment details are pre-populated and verified with biometrics, things like card-not-present fraud, chargebacks, and authorized push payment fraud are virtually eliminated.  Number three: lower costs. Without all the intermediaries and manual admin, the total cost of Pay by Bank is typically lower than card payments.  I'm running out of time—one last benefit: instant refunds. And trust me, shoppers love instant refunds.  And breathe. That was a lot to cram into ninety seconds.  If you’d like to take your time and learn more about Pay by Bank—and why brands like Just Eat Takeaway, lastminute.com, Ryanair, and Papa John’s already offer it at checkout—you can read our in-depth guide. There should be a link on screen now.  And that’s it. Thanks for watching.
9 Jun 2025

Pay by Bank explained in 90 seconds

Categories to explore