4 Essential Steps for a Winning Tokenization Strategy

First and Foremost, What is Tokenization?

In its simplest form, tokenization is the process of replacing sensitive data with non-sensitive data. It has dozens of use cases, but we’re most interested in payments, where tokenization typically refers to replacing the customer’s Primary Account Number (PAN) – the 16 digits on the front of their card – with a string of non-sensitive numbers.² Many businesses opt to tokenize customers’ card payment details so they aren’t storing this sensitive data on their own systems – which would require them to be PCI compliant – but with the industry innovating rapidly, the decision to tokenize now has implications that range from authorization rates to refunds.

Create a Winning Tokenization Strategy

Step 1: Know Your Sample

If you’re a merchant who doesn’t accept tokens today, you could be in for a surprise. Between digital wallets like Apple Pay and web browsers that allow customers to autofill their card information, there are numerous solutions that tokenize payment details before they even reach your business.³ On the flip side, if you’re sure that you tokenize every transaction via your processor, there may be some legacy edge cases where PANs are still sneaking into your systems. Understanding which tokens you truly have in your environment is the first step in drawing conclusions about the performance of each type, especially if you have PAN data with which to compare.

Step 2: Stress Test Your Use Cases

The advantages of tokenization often vary with the merchant’s environment and their customer’s journey.

Network tokens, for example, are designed to update card details in real-time, potentially reducing the risk of transaction declines due to lost, stolen, or expired cards common with subscription merchants.⁴ In contrast, if you’re a merchant that allows customers to buy goods online and return them in-store, then tokenized credentials could make it more difficult to identify the customer by their card in person. The same holds true for things like loyalty point accumulation, depending on how you map card details to customer accounts.

And those are just the external use cases. Tokens have the potential to enhance or limit a merchant’s internal processes, too, so it’s important to be familiar with those before developing a strategy. For instance, network tokens historically had the potential to restrict merchants’ ability to route transactions to domestic debit networks.⁵ Today, following an Order from the Federal Trade Commission,⁶ businesses requesting such information must be given access to the underlying PAN required to route the transaction – but not necessarily to the other data points that help the card issuer decide whether a transaction is too risky to approve.⁷ As such, merchants need to know exactly which data points their whole ecosystem uses to make decisions today and predict how those would be affected if the information were tokenized.

Step 3: Choose Your Token

We’ve talked a lot about network tokens so far, but they certainly aren’t the only option out there. When we refer to different ‘types’ of token, we are generally asking who your Token Service Provider is – or who owns the ‘vault’ containing the PAN and token information and can tokenize or de-tokenize between the two.

Having the vault sit with your processor might make sense for some merchants who want to keep PANs out of their systems, but for those with multiple processors today (or who are exploring that option in the future) a provider-agnostic token may be better for retaining a holistic view of the customer. Some merchants even manage their own token vault in-house, taking on a greater compliance burden in exchange for full ownership.

And then there are all the flavors in between. Perhaps you’ll elect to retain the PAN, using it as a ‘fallback’ for when the token is declined, or maybe that’s your IT Security team’s worst nightmare and instead you’re leveraging Payment Account Reference where it’s available to link your tokens together with a non-sensitive data point. Whatever your approach, it’s important to consider the flexibility you are buying yourself down the line as pricing and products change.

Step 4: Look Ahead

That flexibility is crucial in an area like tokenization, where a perfect storm of regulation, new fees, and innovation is changing the business case rapidly.

Last year, just a month prior to the aforementioned FTC Order surrounding Mastercard payment tokens,⁸ it was reported that Visa was facing scrutiny from the U.S. Justice Department over its pricing of tokenization technology.⁹ Similarly, in Australia, the Reserve Bank recently announced new expectations that all industry players should support the portability of network tokens by June 2025 to provide increased flexibility for merchants switching between providers.¹⁰ Aussie merchants won’t be allowed to store customer’s PANs by that date, either, unless they meet minimum security requirements.

At the same time, the payments industry is shifting. Visa, for example, has announced that any Apple Pay Device Token issued after July 30, 2025, will no longer work for Standing Instruction Transaction use cases,¹¹ potentially changing the business case for recurring billing merchants.¹² Similarly, new solutions such as Paze Wallet¹³ and Click to Pay could introduce network tokens for the merchants who choose to accept each product.

A Final Observation

Tokens can be an invaluable resource for merchants tackling a whole host of payments challenges. However, they have implications for the entire transaction flow – from network routing to loyalty systems – and that makes them sticky. With reporting often inconsistent, merchants may not even know what information they have in their environment today. The nature of the data in question – combined with the high costs of token migration – make it vital that merchants use their data wisely to reap rewards and dodge risks when setting their token strategy.