The Payment Card Industry Data Security Standard (PCI-DSS), an industry-wide standard that must be met by any organization that stores, processes, or transmits cardholder data, mandates that credit card data must be protected when stored.
Tokenization, as applied to payment card data, is often implemented to meet this mandate, replacing credit card numbers in some systems with a random value.
Tokens can be formatted in a variety of ways. Some token service providers or applications generate these stand-in values in such a way as to match the format of the original sensitive data. In the case of payment card data, a token might be the same length as a Primary Account Number (bank card number) and contain elements of the original data such as the last four digits of the card number.
When an authorization request is made to verify the legitimacy of a transaction, a token might be returned to the merchant instead of the card number, along with the authorization code for the transaction. The token is stored in the receiving system while the actual cardholder data is stored in a secure token storage system. Storage of tokens and payment card data must comply with current PCI standards.
Tokenization makes it more difficult for hackers to gain access to cardholder data outside of the token storage system. Implementation of tokenization could simplify the requirements of the PCI DSS, as systems that no longer store or process sensitive data are removed from the scope of the PCI audit.