Payment tokenization replaces a cardholder's Primary Account Number (PAN — the 16-digit card number) with a unique, non-sensitive token that can be used for transactions but is useless if intercepted. Mandated or strongly incentivized by Visa and Mastercard network standards and PCI DSS Requirement 3 (pcisecuritystandards.org); reduces PCI scope and eliminates breach liability for the merchant.
Tokenization is defined by the PCI Security Standards Council (pcisecuritystandards.org/document_library/documents/Tokenization_Guidelines_Info_Supplement.pdf) as the process of replacing sensitive cardholder data with a non-sensitive substitute (the 'token') that has no exploitable value outside the specific system or merchant. The original PAN is stored securely in a token vault — accessible only by the tokenization system when a real transaction needs to be processed. Network tokenization (distinct from processor tokenization) is provided directly by Visa (Visa Token Service, VTS) and Mastercard (Mastercard Digital Enablement Service, MDES) — see Visa's developer documentation at developer.visa.com and Mastercard's at developer.mastercard.com. Network tokens are tied to the specific device or merchant and expire or are invalidated if the card is reissued. Network tokens also deliver a higher authorization rate (typically 2–3 percentage points higher) because the issuer can automatically update the token when a card is reissued rather than declining the transaction. For merchants and payment processors, tokenization achieves two critical outcomes: (1) PCI scope reduction — a merchant that never stores, processes, or transmits actual PANs has dramatically reduced PCI DSS compliance obligations; and (2) breach liability reduction — stolen tokens are worthless without the vault. This aligns with the FTC's data minimization guidance under 15 U.S.C. § 45 (ftc.gov/tips-advice/business-center/guidance/protecting-personal-information-guide-business). Tokenization vs. encryption: encryption transforms data into ciphertext that can be decrypted with the right key — the original PAN still exists and can be reconstituted if the key is compromised. Tokenization replaces the PAN with a random token that has no mathematical relationship to the original — there is nothing to decrypt. Both protect data in different threat models; the PCI SSC recommends using both together for maximum protection.
If a merchant never receives, stores, or processes real PANs — because tokenization happens before card data reaches the merchant's systems — the merchant is largely out of PCI scope. PCI DSS compliance requirements are dramatically reduced for 'out-of-scope' merchants. Using fully hosted payment forms (Stripe Elements, Braintree Drop-in UI) with network tokenization is the fastest path to minimal PCI scope for most merchants.
Both are substitutes for a real value-bearing credential, but payment tokens substitute for a PAN in a way that is entirely opaque to the merchant's systems — the merchant can charge the token but has no visibility into the underlying card. Gift card numbers represent a balance in a closed-loop system. Payment tokens are open-loop credentials issued by card networks; gift cards are closed-loop instruments.
Processor tokenization (Stripe, Braintree, Square, etc.) tokenizes at the processor level — the PAN is vaulted by the processor and a token is returned to the merchant. Network tokenization (Visa VTS, Mastercard MDES) tokenizes at the card-network level. Network tokens deliver higher authorization rates and automatic card-update; processor tokens don't. For recurring billing businesses, network tokenization significantly reduces involuntary churn from expired or reissued cards.