PAN tokenization is the process by which a real card number is replaced with a random identifier that has no value outside the system that generated it. It is the technology that enables merchants, PSPs and platforms to manage payments without ever storing or transmitting sensitive data in their own systems. Understanding how it works, at every stage, is essential for anyone who needs to make architectural or compliance decisions.
From PAN to token: how the process works step by step
The PAN tokenization flow always starts with the secure collection of card data. The customer enters the card number on a hosted page or via a PCI DSS certified client-side SDK: in this way the data never passes through the merchant's servers. The tokenisation provider's vault receives the PAN in plain text, stores it securely, and generates a random token that is returned to the merchant's system.
From that point, the merchant operates exclusively with the token. To process a payment, it sends the token to the vault along with the amount and charging instructions: the vault retrieves the real PAN, transmits it to the card network, and returns only the authorisation response. The entire cycle occurs in milliseconds, transparently for the end user.
Tokenization vs encryption: differences that matter
The distinction between tokenization and encryption is not terminological: it is an architectural difference with direct implications for security and compliance. Encryption transforms the PAN into encrypted data that maintains a mathematical relationship with the original: anyone with the decryption key can recover the PAN. The risk shifts to key management, which remains the merchant's responsibility.
Tokenization generates a random value with no relationship to the original PAN. No algorithm exists that allows the original data to be recovered from the token: the only way to "detokenise" is to access the vault with the correct credentials. This means that a breach of the merchant's database exposes only unusable tokens, not real card numbers. From a PCI DSS perspective, databases that contain only tokens do not fall within the CDE.
The token lifecycle: vault, retrieval and revocation
A token has a defined lifecycle comprising creation, use and revocation. At creation, the vault associates the token with the PAN and stores it with metadata such as merchant ID, creation date, and any usage limits. During the active lifecycle, the token can be used for charges, refunds and reversals without the merchant ever seeing the PAN.
Revocation occurs when the customer requests deletion of their data, when the card expires or is replaced, or when the merchant decides to close the relationship. A well-designed vault also manages automatic token replacement when a card expires, updating the PAN in the vault without requiring the customer to re-enter their data. PCI Proxy EU supports this process through the account updater programmes of the leading card networks.
Frequently asked questions
Can a token be reversed to recover the PAN?
Not by just anyone. Only the vault that generated the token can perform detokenisation, and only with authorised API credentials. Technically, the token is a random value with no mathematical relationship to the PAN: no reverse algorithm exists. This is the fundamental advantage of tokenization over symmetric encryption.
Does tokenization require changes to my checkout?
It depends on your current architecture. If your checkout collects card data directly, you need to replace the form with a hosted page or client-side SDK provided by PCI Proxy EU. The backend must be modified to receive and manage tokens instead of PANs. If you already use a hosted payment page from a PSP, integration with PCI Proxy EU can happen at the API level without frontend changes.
What differentiates network tokenization from payment tokenization?
Payment tokenization (or merchant tokenization) generates tokens managed by the provider's vault, used in the merchant's internal flows. Network tokenization generates tokens issued directly by card networks (Visa, Mastercard) associated with a specific device. Both reduce risk, but operate at different levels: payment tokenization protects data within the merchant's perimeter, network tokenization protects transmission towards the network.
Want to implement tokenization in your payment infrastructure quickly? Discover PCI Proxy EU.