Let’s talk about Tokenization

Tokenization is known as the practice of replacing the sensitive data in discussion,

in our case – the PAN (Primary Account Number; usually 16 digits written on the face of the card) with another unique identifier which is not considered as sensitive.

Most tokenization products have two features that allow robustness and the ability to work in a cross platform environment.

The first is the ability to represent a replacement of the original string without affecting the data structure. This is achieved by generating a different 16 digits string that sometimes keeps the last four digits and first six digits. In any case this is mostly configurable.

The second important feature of most tokenization products is the external input form that allows all input of credit card information into a secured environment to begin with, thus negating the need to send sensitive data through a myriad of network components and participating applications. In many products this form can be integrated into any web based application and sometime to non-web applications as well.

Remember: Tokenization does not make you compliant! You still need to implement all controls as required by the PCI DSS. If you plan your budget solely on tokenization solution you’re in for a surprise as you will quickly learn that there is much more to do.  


Ben, Ben Aderet – Co Founder of GRSee Consulting