Why is Tokenization Used in Online Payments?

by PCI Booking – October 17th, 2019

Credit card fraud and theft is a massive problem in every corner of the world. The Nilson Report, shows that the current rate of losses due to payment card fraud is around $24.3 billion; by 2022 they expect that figure to top $34 billion.

Merchants, and in fact, the extended card ecosystem, must also deal with costs associated with chargebacks. All of this is occurring within a climate of increasingly stringent regulations and major cybercrime events.
To help alleviate the impact of fraud and mitigate risk, we can turn to technological techniques, one of which is payment card tokenization.

What is Payment Card Tokenization?

Storing credit card numbers has a large overhead in terms of security and compliance. A way to reduce this overhead, whilst also ensuring a smooth user experience, is by applying a technique known as “tokenization”.
Tokenization of payment cards works like this:

  1. The customer goes through a normal purchase (i.e. a regular e-commerce transaction flow).
  2. They enter their payment card details and click ‘submit’.
  3. At this point the card number is ‘tokenized’; a ‘token’ is a randomly generated, unique, string.
  4. The token is then routed to the merchant for referencing the card details, It can also be sent, at the same time, to another third party to perform additional actions (such as relaying it to a payment processor for charging the card.
  5. This token is associated with the payment card and only with it. The token can be used once or multiple times.

Tokenization vs. Encryption

Data encryption is often presented as an alternative to tokenization. The basic difference between encryption and tokenization is that the former is reversible under the right conditions, whereas tokenization is irreversible.

Encryption:  Encrypted database entries (such as credit card details) are generated using ‘encryption keys’ and a specialized algorithm. Having the correct key allows the encrypted data to be decrypted (reversed) when needed. If a cybercriminal gets hold of that key, they can decrypt the data. 

Tokenization: One of the major security benefits of tokenization is that tokens are irreversible. That is, if a cybercriminal was able to steal a token, they could not then work out the original card details the token represents.

Tokenization ultimately pushes the pain needed to robustly secure data to an entity who has the resources to do so. 

PCI Booking actually utilizes both tokenization and data encryption when storing card details – for an even higher level of protection.

What are the Benefits of PCI Booking’s Tokenization service?

A third party, such as PCI-Booking, offers specialist software which is used in the tokenization process. PCI Booking’s agnostic tokenization service provides merchants with a multi-type input of credit card data alongside with multi-party connectivity to ensure security, compliance and protection throughout the “life-cycle” of the card with the merchant, including: 

  • Support many tokenization channels: merchants entering data directly, customers entering data online, merchant pull requests from third parties, third party push requests to merchants, data entry hile on the phone / chat with customer and more.
  • Built-in integration with third parties: This reduces the need for a merchant to set up their own connections. The system automatically connects to, for example, third party booking websites, on behalf of the merchant.   
  • Support multiple third-parties to retrieve card details: When a transaction is made, you may need to switch back and forth between different third parties to retrieve card details. A universal tokenizer can automatically handle this on behalf of the merchant.

What are the Benefits of Tokenization?

The key reasons for a merchant to use a tokenization system are that the tokenization process:

  • Adds a layer of protection
  • Reduces the overhead of PCI-DSS compliance in terms of storage requirements
  • And therefore, reduces the cost and effort to become PCI-DSS compliant
  • Reduce risk from hackers and internal fraud

How PCI Booking’s Tokenization Works

The PCI Booking Tokenization solution is an “on-the-fly” tokenization service. The PCI Booking system intercepts credit card information and tokenizes the PAN and CVV (if present) before it reaches the merchant system. 

The merchant receives the token to process the transaction – meaning they never have to store any credit card data; instead of storing credit card numbers you store tokens. Each token is associated with an individual card, so you can link these tokens when processing a transaction internally. However, the tokens, if stolen, cannot be reversed to reveal any financial card data or provide any secure or confidential information to unlawful entities. 

Future transactions are also handled using the Tokenization solution. For example, if a customer wishes to charge the card, the token is sent to the payment gateway through our system where we replace the token (de-tokenized) with the real information. A similar process can be achieved when relaying the cards to a third party’s API.

PCI-DSS and Tokenization

The regulatory standard, Payment Card Industry Data Security Standard (PCI-DSS), sets stringent security requirements for any entity that handles financial data. The use of tokenization (and the underline stored data encryption that PCI Booking employs) is a way for merchants to seamlessly manage onerous security requirements. PCI-DSS documentation suggests that the removal of financial card data from your system is considered a best practice. In using a tokenization service, you effectively reduce the scope in handling PCI-DSS requirements. However, a merchant will still need to assess the transmission and processing aspects of PCI-DSS.

PCI Booking stores any credit cards that are involved in the tokenization process according to the highest security standards of PCI-DSS (PCI DSS Level 1); this includes, among other things, obfuscating and encrypting the sensitive card data.


Tokenization provides merchants with a system that offers a highly secure way of dealing with sensitive financial data. Using a tokenization service gives you a head start in becoming PCI-DSS compliant and is viewed as a best practice. However, implementing tokenization, as a merchant providing an online experience to your customers,  needs to be seamless so you can focus on your core business. PCI Booking’s Tokenization system does all of the hard work for you, connecting you to third-parties and securing your customer’s data so you don’t have to.