Tokenization is a concept used in credit, debit, and gift card processing systems to avoid storing cardholder data (CHD) such as credit and debit card numbers, pin numbers, expiration dates, card security codes, and the like at a merchant's location. For example, when a merchant initially accepts a credit card at a point-of-sale (POS) system, the CHD is encrypted and sent to a remote gateway system. The gateway system requests authorization from a credit card processor, which obtains authorization from a bank that issued the card. The gateway system receives the authorization from the credit card processor and provides a token to the merchant for storage along with the authorization.
The token can be a globally unique, randomized, alphanumeric replacement for the CHD. The merchant's POS system stores the token instead of storing the CHD. If the merchant needs to reauthorize a customer (for example, to add a tip at a restaurant), the merchant sends the token to the gateway system, which then sends the actual CHD to the processor. With tokenization, thieves cannot steal CHD from merchants because the tokens are stored in place of the actual CHD.