Tokenisation carte

Definition

Card tokenisation replaces the PAN (the 16-digit card number) with a token: an equivalent but different string whose use is restricted to a wallet, a device, a merchant or a channel.

The token is worthless if stolen outside its context. It is one of the major security building blocks of modern card payments, driven by the networks (Visa Token Service, Mastercard MDES) and adopted everywhere: Apple Pay, Google Pay, Click to Pay, PSP vaults.

The 3 types of token

Network tokens (DPAN + merchant tokens) are EMVCo-standardised; PSP vault tokens are proprietary.

Why tokenise

• Security: in a merchant data breach, the stolen tokens are useless elsewhere; the real PAN is never stored.
• Authorization rate: +2 to +5 points with network tokens, because the network vouches for the token's legitimacy in the issuer's scoring.
• Card lifecycle: if the card is reissued, the token stays valid (the network re-maps internally) — no more subscription churn on expired cards.
• Lighter PCI-DSS: no longer storing PANs reduces the audit scope.

How it works

1. The cardholder enters their PAN (or adds the card to a wallet).
2. The merchant or wallet requests a token from the network (VTS for Visa, MDES for Mastercard).
3. The network generates a unique token, bound to a specific context.
4. The merchant only stores the token.
5. At payment time, it sends the token to the network.
6. The network de-tokenises on the issuer side — the PAN is never exposed outside the issuer and the network.
7. The issuer authorises based on the token and the context.

Apple Pay / Google Pay

The DPAN is the most widespread token: at enrolment, your card becomes a DPAN specific to your iPhone; each transaction sends a dynamic cryptogram + DPAN; switching iPhones regenerates a DPAN. The issuer knows it is Apple Pay and treats SCA as already completed — hence a higher authorization rate and a lower fraud rate.

Click to Pay

A joint initiative by Visa + Mastercard + Amex + Discover to standardise e-commerce checkout via merchant tokens: the cardholder enrols once, is recognised by email/phone on any Click to Pay site, picks their card and confirms — the merchant receives a token, not the PAN. Adoption has been gradual in Europe since 2023, but the UX is still uneven due to the lack of swift coordination between networks.

What tokenisation is not

• Not encryption: a token is not an encrypted (decryptable) PAN, but an independent identifier mapped on the network side.
• Not a virtual card: a virtual card has its own PAN; a token is an alias of the main PAN.
• Not the end of PCI-DSS: a merchant that handles a PAN at the point of entry remains partly in scope.
• Not universal: not all merchants yet support network tokenisation; PSP vaults (Stripe, Adyen) generalise it in the backend.

Within the PSD2 ecosystem

Network tokenisation integrates natively into 3DS2: the merchant sends the token, and the ACS often applies more generous frictionless scoring given the increased security. It is one of the drivers of the continued decline in card fraud in the EEA.

Real-world examples

• Apple Pay / Google Pay: a DPAN on 100% of transactions, recognised by every issuer.
• Click to Pay: gradual roll-out since 2022, strong adoption at some large merchants, still moderate in France.
• Stripe vault: the pm_xxx token stores customers' cards and runs subscriptions; Stripe handles network tokenisation behind the scenes.
• Spotify subscription: when a card is reissued, the network token is updated automatically, with no payment interruption.
• Authorization rate: +2 to +5 points with network tokens, i.e. +1 to +3% of revenue on subscriptions.
• PCI-DSS: storing only tokens makes it possible to target SAQ-A (the lightest), versus SAQ-D for those who store PANs.
• Limitation: network token coverage is uneven across networks; CB is gradually rolling out its EMVCo support.