Credit Card Tokenization: What It Is, How It Works

Tokenization replaces your sensitive card data with a jumble of letters and numbers that are useless to a hacker.

Lindsay KonskoJune 19, 2020
On a similar note...
On a similar note...

Many or all of the products featured here are from our partners who compensate us. This may influence which products we write about and where and how the product appears on a page. However, this does not influence our evaluations. Our opinions are our own.

It's the credit card holder's nightmare: Hackers break into a merchant's computer system and steal credit card information, which they use to charge thousands of dollars' worth of stuff to your account. But imagine if instead of your name, card number, expiration date and other information, the hackers just got a meaningless jumble of numbers and letters.

That's credit card tokenization in action, and it's a key way payment systems can keep your card data safe.

1. What is tokenization?

In general, to “tokenize” something means to replace it with something else that represents the original but that is useless outside a certain context.

Think about going to a carnival and buying tokens to play games. Each token represents a certain amount of money, and as long as you're at the carnival, you can use the tokens like money for skee-ball, for video games, or perhaps to buy a funnel cake.

But you can’t use them once you leave the fair. The tokens have no value outside it.

2. How does tokenization work with credit cards?

Say you're buying something from a merchant that uses tokenization. If there's a tokenization system in place, it intercepts your card data and replaces it with a random string of numbers and letters. Instead of Jane Smith, account number 4567 8910 1112 1314, expiration date 10/2025, there's a token like HX46YT794RG. 

Merchant systems are often the weakest link in the chain of computer networks involved in a credit card purchase. The huge data breaches you hear about typically occur at merchants that store credit card data, not the banks or payment networks that handle the card transactions. With tokenization, the only data stored on the merchant's network is the token. The sensitive card data itself is stored on a server with much higher security. The token is basically a link to that data.

A hacker who steals a token from a merchant's system will find that it is worthless. It was valid only for a purchase at that merchant. Outside that context, like game tokens outside the arcade, it's unusable.

3. Is this the same as EMV technology?

The EMV chips embedded in modern credit cards operate on the same general principle. The chips generate a unique, one-time-use code for each purchase. But EMV chips work only with in-person transactions. When you give your number to an online merchant, the chip doesn't do anything. When an online merchant is using tokenization, though, your card data has protection similar to that offered by an EMV chip.

For an example of a system that uses tokenization, look at your phone. Apple Pay, Google Pay and other digital wallets operate on a tokenization system. Your credit cards aren't really "stored" in the digital wallet. What are? Tokens that link to your card information. These tokens don't work exactly like merchant tokenization, but the concept is the same.

4. Who benefits from credit card tokenization?

Everyone, really, except maybe for hackers.

Let’s start with consumers. Maybe data breaches are inevitable, but if one occurred at a merchant where you had used your card, tokenization would make it much less of a hassle. Because your card data was never stored by that merchant, only the token, you wouldn't need to get a new card with a new number. You wouldn't have to provide that new number everywhere you're using the card for automated payments — utilities, Netflix, Amazon, Uber, etc.

For merchants, credit card issuers and payment networks, tokenization reduces fraud, which reduces the cost of doing business.

We want to hear from you and encourage a lively discussion among our users. Please help us keep our site clean and safe by following our posting guidelines, and avoid disclosing personal or sensitive information such as bank account or phone numbers. Any comments posted under NerdWallet’s official account are not reviewed or endorsed by representatives of financial institutions affiliated with the reviewed products, unless explicitly stated otherwise.