Understanding credit card tokenization
4 min read

Tokenization is a process where some party, takes user’s credit card details and converts it into another credit card number. The advantage of this approach is that the party handling user’s credit cards may not bother storing the original credit card number. It can instead store this new number.
Depending on how this new number is generated, it might be scoped to the specific party which means, the party that tokenized it alone can use it to charge money and it wont work for anyone else.
The parties involving token are typically merchants such as Amazon.com or Wallets such as Google Wallet or Paypal. Stripe or similar payment processors too could act as parties here.
Advantages of tokenization are :
Better security : If the token leaks, it does not do any harm as no one else can charge money to the token accept the company that generated it.
Lower fraud : Since tokens are hard to generate without user’s consent or high quality data, it is much safer to use tokens.
Lower liability : Since cloud token exposure does not create harm, it means there is lower risk for merchants in storing this in their database.
Better operational costs: Normally when credit card is compromised, a new card is sent to the user. This also means any merchant that has stored the card would lose the card too. But with tokens, they continue to work even if underlying card was changed.
Types of credit card tokens
Cloud tokens or CPANs.
Cloud tokens are created by a merchant in the background without user’s consent as user consent is not required. Cloud tokens look exactly like user’s credit card numbers with 16 digit card number, expiry and CVV. However, they work only with the merchant that obtained them. For example amazon.com might convert your card into a cloud token. But then it would only work on Amazon.com and no where else. This means no one can steal it and do transactions beyond Amazon.com.
Cloud tokens can be created from any credit card. It does not require user permission. It happens behind the scene for the user.
Cloud token can be stored and reused for recurring payments. Even if the card expires, the cloud token associated may not expire. Even if card number changes, the cloud token can remain active. This helps billers like Netflix to continue charging your card even if you get a new physical card by mail. This is safe and also convenient.
Device Tokens
Device tokens are special. They are linked to a device and can not be used without the device. When user adds are card to their phone or smartwatch, behind the scenes the phone and card issuer (such as your bank) shared a secret key. Whenever you tap your phone to make a payment, the secret key is used to generate what is called a “cryptogram”. Which is basically transaction information encrypted.
The issuer then uses this cryptogram to verify that the card information is indeed coming from someone who has the secret key. How this secret key get stored on your phone depends on the operating system such as Android or iOS.
Device tokens are extremely secure as people rarely give away their phones to others. Also, every time the phone is used to make payment the user is supposed to unlock the phone using pin or biometric. This is also adding an extra later of security.
Virtual Cards
Virtual cards is another form of popular tokens. Virtual card is a unique card number generated in place of your physical card. This time however the virtual card number is visible to the user and the user has to manually enter it wherever they were supposed to enter the real card number.
The advantage of such a number is that you dont expose your real virtual card. Also you can revoke the card anytime thus cancelling any recurring payments you might have scheduled.
Virtual cards are less popular than other two but still being used. Google chrome has this feature today.
Card Tokenization
Tokenization is super critical fintech innovation that has made the payments secure and better. It protects users, billers and issuers. It makes life hard for fraudsters and credit card thieves. In 2023, worldwide payment card fraud losses reached $33.83 billion. This was a slight increase from $33.45 billion in 2022. The U.S. accounts for a disproportionate share of global credit card fraud. In 2023, while the U.S. represented about 25% of worldwide card spending, it accounted for over 42% of global fraud losses.
Tokenization is aimed at solving this problem and has indeed helped in keeping these numbers low.