What is tokenization, and will it protect us against card fraud?


At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here’s an explanation for

The content on this page is accurate as of the posting date; however, some of the offers mentioned may have expired.

What worries you more — having your car stolen or your credit card information swiped?

While less than half of Americans are concerned their vehicle will be whisked away, nearly 7 in 10 worry the credit card information they used in stores could be stolen, an October 2014 Gallup poll found.

Given data breaches in places such as Neiman Marcus and Home Depot, it’s no wonder consumers are nervous about what might happen after they swipe their card at checkout or purchase an item online. But the headlines generated by these big retailers tell only part of the story. In 2014, there were 164 retail data breaches in total, according to Verizon’s 2015 Data Breach Investigations Report.

Worried you’re a data breach victim? Check your credit report for free at myBankrate.

Yet, the frequency and severity of these breaches have led the payments industry to improve card security, from the introduction of Europay, MasterCard and Visa, or EMV, chip-embedded credit and debit cards to tokenization.


Tokenization is a process in which sensitive credit card numbers are replaced with a randomly generated string of alphanumeric characters, or tokens, to protect against fraud during a transaction. Apple Pay uses a form of tokenization.

“The goal of tokenization is to make it so there’s no data to breach,” notes Rush Taggart, chief technology officer at CardConnect, a payments technology firm that holds two patents on tokenization.

While tokenization is used in some systems today, broad adoption is years away. In October 2014, The Clearing House, a trade group owned by the world’s largest commercial banks, announced multiyear plans to “build a real-time payment system” that utilizes tokens.

Here, experts weigh in with how this setup works and what changes to expect in the future.

How it works

“Token transactions replace the card number with a token — another number that is in no way related,” explains David Hall, senior vice president of vendor alliance partnerships at PSCU, a credit union service organization.

To better understand the process, consider the meaning of the word “token.” The word often refers to an item that represents something else. Say you go to an event, such as a county fair, and purchase tokens with your money. Those tokens can be used for activities, rides and games. If you take them outside of the fair, you won’t be able to use them as money or pay for other activities.

This concept is similar to the way token-based systems are set up in the financial world. Perhaps you purchase an item online. Rather than sending your debit or credit card information to the merchant, the system turns your data into a random number. This number, or token, then passes through the transaction process in the same way your card information would, notes Hall.

Within the system, it can be used to make a purchase. Outside of the system, it is just a string of numbers and has no value.

Why it’s considered safe

“Hackers are getting more and more sophisticated,” says Taggart. It’s reasonable to expect that criminals always will be looking for ways to access sensitive information, such as credit and debit card data.

And that’s the beauty of systems that use tokens. These setups “translate the data so it’s completely useless to anyone other than the merchants,” explains Taggart.

Looking back, this technology also offers valuable insight into recent data breaches at large retailers. In those cases, hackers wanted to access the vast amounts of card information stored on file.

Had Apple Pay or another token-based payment setup been used by the majority of shoppers, it’s possible that sensitive data may not have been stored in the same way. With tokenization, for instance, there’s no card number kept on file with merchants. “Even if they’re breached, the only things that are breached are random numbers that don’t mean anything to anyone,” says Taggart.

How it compares to EMV

EMV-enabled cards and tokenization are designed to make payment information more secure, says Randy Hopper, vice president of credit cards and business optimization at Navy Federal Credit Union. “They just do it in different ways and forms.”

EMV cards offer a higher level of security than traditional cards that carry a magnetic stripe. That’s because the magnetic stripe on a debit card or credit card contains information that doesn’t change. So if a criminal copies the stripe, the information can be used repeatedly.

EMV cards have an embedded microchip, and the chip encrypts information during a transaction. This protects against the counterfeiting of cards.

When sending the information via an EMV card, a code is generated. While this code can be used for the transaction, it cannot be used again. That means if a thief obtains the chip information used during one particular purchase, that information cannot be used again.

“EMV is primarily for point-of-sale payments,” Hopper says. It offers protection when you swipe your card at the register.

Tokenization, on the other hand, is more focused on card-not-present transactions, says Hopper. In other words, it boosts security for online and digital transactions. “When a consumer is shopping online, the card information is no longer being passed through the payment system,” he says.

How it will affect everyday purchases

While the technology used to process transactions may undergo changes, the result will not be very visible to those shopping with credit cards and debit cards, Hopper says. By and large, consumers will “continue to use cards in the same way they do today.”

There may be minor glimpses into tokenization if you look closely, Hopper adds. For instance, in Apple Pay, if you browse in the settings for cards, you’ll see the last four digits of your card. You may also spot the last four digits of the device number listed. The device number serves as the token.

Merchants will note more adjustments than consumers to support the changes in technology. Among the advantages they’ll gain, however, is a tighter level of security. When it comes to using a token-based setup, “the bottom line is everyone in the payments ecosystem — including merchants, consumers and financial institutions — benefits,” explains Hall.

What Apple’s adoption of tokenization means

“Apple Pay will shake up the payment industry in a big way,” notes Malte Pollmann, CEO of Utimaco, a manufacturer of hardware-based security solutions.

While tokenization isn’t a new technology, Apple’s approach to using it has the potential to make big shifts. “The difference between Apple and previous industry attempts to disrupt the mobile payments market is Apple’s ability to package existing technology into a viable and user-friendly solution — with the support of card issuers,” explains Pollmann.

How it could be used in the future

“If the security, telecom and financial services industries get it right, customers will increasingly trust new mobile payment models,” says Pollmann.

In addition to seeing new payment systems similar to Apple’s, this technology could branch into other areas.

Consider the medical industry, for instance. It’s possible that confidential information, such as medical records and prescription information, could be replaced with a token, explains Hall.

Furthermore, sensitive personal information, such as Social Security numbers and driver’s license numbers, could potentially be stored as tokens as well.

The process will take time, Hall says. Still, in the financial industry and others, the potential benefits are many. Perhaps the best perk will be the ability to use debit cards and credit cards without worrying about whose hands the card information could land in.