Glossary · Network & rails

What is
Tokenization?

Complexity Working
Shows up Monthly
Scope Network-native
Operator relevance Context
Related pci dss pci scope payment gateway cnp card network
Share definition X LinkedIn Reddit HN Email
Quick definition

Tokenization replaces card numbers with tokens — non-sensitive references — so merchants can handle transactions without storing card data.

The short answer

Tokenization is the process of replacing card numbers with tokens — non-sensitive references that represent the card without exposing the underlying data. Merchants store tokens, not PANs. Processor stores the mapping.

In plain English

Your customer enters their card number on your checkout. Stripe.js, Square Web Payments SDK, or Authorize.net Accept.js grabs the card number client-side, sends it to the processor's tokenization endpoint over TLS, and gets back a token (e.g., `tok_1Abc234XYZ`). Your server receives only the token. The actual card number never touches your infrastructure.

When you need to charge the same card again (subscription renewal, repeat customer), you reference the token. The processor translates the token back to the card data behind their PCI-scoped firewall and processes the charge.

How it shows up in your business

  • Saved cards on subscription products work via tokens — your database stores tokens, not card numbers.
  • PCI scope shrinks dramatically. SAQ A (tokenization-only, no card data touch) vs SAQ D (stores PANs) is a huge compliance simplification.
  • Tokens are typically acquirer-specific. A Stripe token doesn't work on Square. Migrating requires either re-tokenization at the new processor or using a processor-agnostic vault.
  • Network tokens (Visa, Mastercard) are newer — processor-agnostic tokens usable across acquirers. Growing adoption.

Numbers to know

Tokens typically start with a processor-specific prefix and are 20-50 characters of alphanumeric data. Stripe customer tokens: `cus_xxx`. Stripe card tokens: `card_xxx` or `pm_xxx`. Token lifetime: usually permanent unless the customer revokes or the card is reported compromised.

PCI-DSS scope with tokenization: typically SAQ A (lightest). Without tokenization (storing card data): SAQ D (heaviest, annual audit required at Level 1).

Why multi-brand operators care

Across a multi-brand portfolio, tokenization + the processor's customer vault (Stripe Customers, Authorize.net CIM, Braintree Vault) is the difference between one-off checkouts and recurring relationships. Tokens let you move a customer between sub-brands under the same parent without re-entering card data. multiflow respects the vault of your underlying processor — we don't add a second tokenization layer; we work above the one your processor already has.

Related glossary terms

pci dss pci scope payment gateway cnp card network

Processing across
multiple brands?

multiflow consolidates your ledger, keeps per-brand billing descriptors, and fans out payouts to the right legal entity.

Start your application How it works

The Operator Briefing

Twice-monthly. No fluff.

Processor shutdowns, reserve-hold playbooks, reconciliation lessons, and the merchant-account decisions that save operators six-figure years. Delivered to your inbox — never spam.

No spam. Unsubscribe in one click.

We use essential cookies · Privacy