Three Token Formats: How Tokens Look

Tokens come in three formats depending on business requirements:

Non-Format Preserving Tokens

The token looks completely different from the original data. A social security number (123-45-6789) becomes (T@%3N5). This format offers maximum obfuscation but loses reference to the original format.

Best for: High-security environments where format recognition is not needed.

Format Preserving Tokens

The token maintains the format of original data but scrambles the numbers. A credit card number (4532123456789010) becomes (4976284591837402). The result still looks like a card number.

Best for: Systems requiring validation against original data structure without revealing actual numbers.

Selective Masking (Hybrid Approach)

The token retains some original numbers for verification while masking others. A credit card shows only last four digits (--****-9010).

Best for: Customer-facing displays where verification is needed without full card exposure. Common for receipts, invoices, and customer dashboards.

Single-Use vs Multi-Use Tokens: Duration Matters

Tokens have different lifespans depending on transaction type:

Single-Use Tokens

Expire after one transaction. Generated fresh each time.

Example: Customer makes a one-off purchase at checkout. Token is used once and becomes invalid.

Security benefit: Even if intercepted during transmission, token cannot be replayed for another transaction.

Best for: One-time purchases, guest checkouts, high-fraud-risk scenarios.

Multi-Use Tokens

Valid for extended periods. Reused across multiple transactions.

Example: Customer saves a credit card for repeated purchases. Same token processes transactions across weeks or months.

Security benefit: Customer convenience through one-click checkout, card-on-file transactions, subscriptions.

Best for: Subscription services, recurring billing, loyalty programs, stored payment methods.

Five Types of Payment Tokens: Who Creates What

The payment ecosystem has five distinct token sources, each serving different purposes:

1. Acquirer Tokens

Generated by acquiring banks when processing transactions for merchants.

 Returned to merchants in transaction responses.

Ownership: Exclusive to the acquirer only that bank can generate and use them.

Use case: Merchant stores acquirer token for recurring charges.

Limitation: Cannot be used across multiple acquirers.

2. Issuer Tokens

Created by card issuers (banks issuing cards) for digital wallets and mobile payments like Apple Pay, Google Pay, or PhonePe.

Ownership: Card issuer controls the token.

Use case: Frictionless mobile payments through digital wallets.

Limitation: Less useful within merchant's own systems—belongs to cardholder's wallet.

3. Network Tokens (Scheme Tokens)

Produced by card networks themselves: Visa, Mastercard, American Express, Discover.

 Not bound to specific issuers.

Ownership: Card network controls the token.

Use case: Enables seamless transactions across multiple merchants and payment service providers.

Advantage: Can be used with any acquirer supporting that network.

4. Payment Processor Tokens

Generated by payment service providers on behalf of merchants and issuers. Usable across multiple locations and payment gateways.

Ownership: Payment processor controls creation and management.

Use case: Multi-channel payment processing (online, mobile, in-store).

Advantage: Seamless integration across multiple sales channels.

5. Merchant Tokens

Tailored for individual merchants. Can be integrated into a merchant's specific customer journey and linked to multiple other token types.

Ownership: Merchant retains control.

Use case: Building custom payment experiences for specific customer segments.

Advantage: Full customisation aligned with merchant's business logic.

How Tokenization Actually Works: Step-by-Step

Understanding the process clarifies why tokenization is secure:

• ‍Step 1: Customer Provides Card Data: Customer swipes card at POS, enters card online at checkout, or taps wallet at contactless reader.‍
• Step 2: Tokenization Service Intercepts: Payment data is sent to a token service provider, which generates a random token and stores the original card number in a secure vault.
• ‍Step 3: Token Returned to Merchant: The token service provider returns only the token to the merchant's system. Original card data stays in the vault, never reaching the merchant.
• Step 4: Token Sent for Authorization: The token is sent to the payment processor, which routes it to the card network (Visa, Mastercard, etc.) for authorization.
• Step 5: De-tokenization at Issuer: The card network routes the token to the cardholder's bank, which matches it to the actual card number in its vault. The bank approves or declines the transaction.
• Step 6: Token Never Exposed: At no point does the actual card number leave the secure vault or reach the merchant's systems.

Tokenization Security: Why Tokens Are Safe

Tokens are secure because they are infeasible to reverse-engineer. There is no mathematical relationship between a token and its original data. Even if a hacker intercepts a token (T@%3N5K7L9), they cannot use it to:

• Process payments (token works only in authorised systems)
• Discover the actual card number (no reverse algorithm exists)
• Reuse it elsewhere (token is specific to its vault)

Industry standards like point-to-point encryption (P2PE) and PCI DSS guidelines add additional security layers around token handling and transmission.

Maximum security: Tokenization combined with encryption creates layered defence. Even if the token vault is compromised, encrypted tokens remain unreadable without decryption keys.

Tokenization vs Encryption: A Critical Distinction

Both protect data, but in fundamentally different ways:

The Hybrid Approach

Combining tokenization with encryption provides maximum protection. Even if a hacker breaches the token vault, encrypted tokens remain unreadable without also obtaining decryption keys.

Tokenization and PCI DSS Compliance: The Real Advantage

Tokenization is a PCI-compliant way to secure cardholder data and is recognised by PCI DSS Requirement 3 as a critical protection method.

How it reduces compliance burden:

By replacing sensitive cardholder data with tokens, businesses significantly reduce the number of systems and components requiring PCI DSS compliance. Only the token vault remains in scope. The merchant's databases, websites, and payment systems are out of scope.

Financial impact:

• Reduced audit costs (fewer systems to assess)
• Lower compliance staff requirements
• Simplified reporting and documentation
• Reduced non-compliance penalties

For businesses offering card-on-file, recurring billing, or omnichannel payments, tokenization is especially valuable for reducing PCI scope and simplifying audits.

Implementation Challenges: What Can Go Wrong

Cross-Domain Tokenization Risk

If a single token vault serves multiple merchants, the same token can theoretically be used across merchants, potentially recreating the original security problem.

Solution: Separate token vaults per merchant or acquirer prevents cross-domain token reuse.

Data Commingling

Organisations storing both actual card data and tokens in the same database create confusion—difficult to determine what is a token and what is a card number.

Solution: Strict segregation: tokens in merchant's system, actual card data in token provider's vault only.

Multiple Tokenization Solutions

Different payment processors issuing different token formats creates complexity. Merchants managing both acquirer tokens and network tokens need robust token orchestration.

Solution: Use token service orchestrators that automatically map and retrieve tokens regardless of source.

The Future: Real-Time Token Updates and Network Tokens

Network tokens are evolving with dynamic real-time updates.

 When a customer's physical card is replaced or renewed, network tokens automatically update without customer intervention.

This enables:

• Reduced payment declines for recurring transactions
• Seamless subscriptions without manual card updates
• Improved customer retention through frictionless experiences

Well-orchestrated systems can leverage multiple token types simultaneously—if a PSP-issued token fails, the system automatically retries using a network token.

Key Takeaway: Tokenization Is Not Optional

Tokenization transforms payment security from a compliance burden into a competitive advantage.

• For merchants: Simplified PCI compliance, reduced breach risk, lower operational costs.
• For fintechs: Scalable payment infrastructure enabling rapid merchant onboarding without security complexity.
• For customers: Seamless checkout experiences with frictionless saved payment methods.

Tokenization is no longer an optional security measure. It is foundational payment infrastructure for any merchant processing cards at scale.

Ready to implement tokenization in your payment stack?‍

Book a Strategy Call with Fyscal Technologies →