Payment card industry (PCI) standardsdo not allow credit card numbers to be stored on a retailer's point-of-sale terminal or in its databases after a transaction. To be PCI compliant, merchants must install expensive end-to-end encryption systems or outsource their payment processing to a service provider who provides a "tokenization option." The service provider handles the issuance of the token value and bears the responsibility for keeping the cardholder data locked down.
In such a scenario, the service provider issues the merchant a driver for the POS system that converts credit card numbers into randomly-generated values or tokens. Since the token is not a primary account number, it can't be used outside the context of a specific unique transaction with that particular merchant. In a credit card transaction, for example, the token typically contains only the last four digits of the actual card number. The rest of the token consists of alphanumeric characters that represent cardholder information and data specific to the transaction underway.
Tokenization makes it more difficult for hackers to gain access to cardholder data, as compared with older systems in which credit card numbers were stored directly in databases and exchanged freely over networks. Tokenization technology can, in theory, be used with sensitive data of all kinds including bank transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.