Mastering the Tokenization Strategy

Tokenization

February 10, 2025

—3 min

What is Tokenization?

Tokenization is a security technology used in digital payments. It involves replacing the PAN (Primary Account Number)—the card number held by the user—with a non-sensitive data element called a digital token.

A token is a unique digital identifier that substitutes the PAN in the payment system. It remains directly linked to the original data, allowing transaction authorization without exposing the user's sensitive card details.

This method is endorsed and promoted by the global standardization body EMVCo to enhance the underlying security of digital payments and reduce the risk of unauthorized or fraudulent use of primary account numbers (PANs).

A Concrete Example

When a user wants to add their payment card to a mobile wallet application (e.g., Apple Wallet), they start by entering their PAN, security code, and other card details.

The Wallet application then initiates the tokenization process with an entity known as a Token Service Provider (TSP). This role is performed by payment networks such as Visa, Mastercard, and Cartes Bancaires.

A unique token is generated and sent back to the Wallet application, which can then process future in-store payments (e.g., contactless payments) without ever exposing the PAN.

Organization of the Tokenization Ecosystem at a Global Level

The Token Service Provider (TSP) plays a central role in the tokenization framework, as shown in the diagram below.

A Token Requestor (TR) that wants to digitize a payment card for a specific use case must interact with a TSP to achieve this.

Two Examples:

A retail bank wishing to offer a mobile proximity payment service in its app:

When a customer activates the service, the bank must request tokenization of the user's payment card from a TSP before provisioning the token into its app.

An e-commerce merchant offering customers the ability to save their payment card for future purchases (Card-On-File service):

When a customer registers their payment card, the merchant must request tokenization of the card from a TSP before storing the token in its database.

The TSP holds a key role for several reasons:

It is responsible for the Token Vault, a database linking payment cards to their corresponding tokens.
When a payment transaction using a token is initiated, the TSP participates in the authorization process before the card issuer, validating security elements (such as cryptograms generated from TSP-provisioned keys) before transmitting the "de-tokenized" authorization request to the card issuer.

Thus, the TSP plays a crucial role by managing sensitive data (card-token mapping) and systematically intervening in every transaction involving tokens.

Sovereignty and Control Issues for Issuers and National Payment Networks

In theory, various players in the card payment ecosystem (payment networks, payment service providers, etc.) can act as TSPs. However, in practice, major global payment networks have taken the lead in this role.

International payment networks, such as Visa and Mastercard, have embedded tokenization services into their core infrastructure. Due to their global reach, they provide a wide range of services that help TRs (banks, merchants, etc.) deploy solutions easily and universally.

For example, global mobile payment wallets (G-Pay, Apple Pay, Samsung Pay, etc.) connect to international network TSPs as TRs. Issuers that are already using these networks to issue physical cards can rely on their TSP services to digitize their cards in these wallets.

Faced with these global offerings, domestic players are developing local TSPs for issuers within their respective countries. This is particularly seen in countries with strong card payment traditions, well-established interbank networks, and national payment schemes—such as France.

Other regions, like Saudi Arabia, are launching domestic tokenization hubs, driven by sovereignty concerns and the need to keep sensitive data under national control.

Given these choices, TRs must adopt solutions that allow them to retain control over their value proposition. This is especially critical for issuing banks, as cardholder data management has traditionally been a top priority. Additionally, reliance on third parties in the payment authorization loop is a sensitive issue.

For issuers, selecting TSPs for different services is a strategic decision, not just a technical or financial one. This is known as the "token sourcing strategy."

For instance, consider an issuing bank in a country with both a national payment scheme and an international network (e.g., Visa or Mastercard). The bank issues co-badged cards, meaning domestic payments go through the national scheme while international payments use the global network.

When digitizing this card for mobile payments, the issuer must define its tokenization strategy. It might decide to replicate the co-badging model in the digital space, sourcing a token from the national scheme’s TSP and another from the international network’s TSP.

The Need for Mastery by Token Requestors

A new generation of solutions has emerged to help Token Requestors access all tokenization-related features seamlessly, including:

Preparing data for tokenization requests;
Sourcing tokens from multiple TSPs based on a predefined strategy;
In some cases, provisioning tokens into payment applications;
Managing the token lifecycle to handle events like loss, theft, and renewal efficiently.

These solutions act as TR platforms, aggregating access to TSPs and offering easy integration for issuers and merchants via APIs.

Our ReadyToTap Payment solution is positioned in this space. Today, it enables various issuers—including retail banks, neobanks, and prepaid card issuers—to leverage a wide range of TSP services with flexibility and ease of implementation.