Everything you need to know about payment tokenisation

Updated on 14 May 2024 by Alison Giansetto
Reading Time: 4 minutes

In addition to providing a higher payment acceptance rate and a smoother shopping experience, tokenisation meets the growing need for online transaction security.

It aligns with the regulations mandated by Visa and Mastercard: Card on File transactions (payment by subscription and one-click payment) must be tokenised. If these are deemed non-compliant, the transaction acquirer may face financial penalties.

What is tokenisation? In what context is it used? How does it work? What benefits does it offer? This article tells you everything you need to know.

Enjoy your reading!

What is payment tokenisation? 

Despite its complex terminology, the principle is simple: it involves the process of replacing sensitive data with secure, non-sensitive data called a token, hence the name. 

How does this translate in the payment domain?

When making an online purchase, consumers transmit their debit or credit card number, known as Primary Account Number (PAN), as well as their CVV. These are the numbers that, if disclosed, could be used for fraudulent purposes.

In this context, the token replaces the card’s original data with a unique digital identifier linking a card and a merchant, which is used throughout the payment process.


What are the use cases?

Securing Card on File payments

Required by the Visa and Mastercard card schemes for Card on File (COF) transactions, tokenisation offers customers a seamless shopping experience while maximising data security. 

Card On File is when customers save their card details for future use. There are two types of COF transactions: one-click payment and subscriptions or recurring payments.

In each of these situations, the merchant must be able to record and store the cardholder’s Primary Account Number (PAN). This is possible, but only with an authorisation issued by the PCI DSS compliance. 

Beyond the regulatory aspect, tokenised payments free merchants from this PCI DSS responsibility by delegating the storage of sensitive data to the card schemes. Merchants thus benefit from the advantages of Card on File payments without the regulatory and financial constraints.

Making payments via electronic wallets

Tokenisation is at the heart of mobile wallets, which are becoming increasingly popular with consumers, such as Apple Pay, Google Pay and Samsung Pay. These alternative payment methods store cardholders’ data to allow them to make purchases online and in-store securely.

How does tokenisation work? 

To understand the process of tokenising credit and debit card data, we will follow the steps involved in creating a token as part of a COF transaction: 

  1. Data transmission: customers pay for their purchases by entering their cardholder information - PAN, expiry date and CVV - on the website’s payment page.
  1. Tokenisation request: the card data is sent to the payment service provider, who makes a tokenisation request to the card scheme (e.g., Visa or Mastercard).
  1. Token creation: the card scheme instantly generates a unique token between the cardholder and the merchant, automatically replacing the card’s sensitive data. This makes the data interoperable across the payment ecosystem.
  1. Token storage: the card scheme stores the token so that it can be reused for future transactions. It is also responsible for updating the token over time.

What are the benefits? 

Enhanced security for sensitive data 

A token is a unique digital identifier based on two factors: the cardholder’s card and the merchant’s identification. There is not just one token for a PAN, but as many tokens as there are uses, which guarantees its security. 

-28% average fraud rate on Visa network transactions using tokenisation.1

Maximised payment acceptance rate 

Due to their high level of security, payments with tokenised data are more often authorised by issuing banks. As a result, merchants are seeing their acceptance rates rise. 

+4.6% average acceptance rate for payments made with a token rather than a PAN.1

Improved user experience 

As the token is a permanent data element, it can ensure the continuity of transactions when a cardholder’s card changes, for example, due to expiry. For recurring or one-click payments, merchants no longer need to ask their buyers to enter their new card information in their online customer account. This reduces involuntary subscription cancellations and smooths the payment experience for users.


Beyond the regulations set by the schemes, the advent of tokenisation in the payment market is explained by the advantages it offers merchants: 

  • Reducing the risk of data breaches
  • Optimising payment acceptance
  • A smoother customer experience 

Unlike Visa and Mastercard, CB does not yet require the use of a token but offers a service that satisfies the same requirements: Updat’R by CB. It enables CB card data to be updated automatically and securely, thereby preventing payment failures and increasing conversion. 

As a payment service provider and acquirer, Payplug accepts tokenised payments linked to the Updat’R by CB programme. We help merchants improve their performance while ensuring the security of their customer data.

Would you like to find out more? 

1 Visa 

Share this article
TwitterFacebookLinkedInCopy Link

Write a comment

Your email address will not be published. Required fields are marked *

Other posts that might
interest you