What is card tokenisation?
We store the card number in the PCI DSS vault and issue you a token instead of the card number. Only that appears in your systems. For the full picture, see what is a PCI Proxy.
We tokenize What is card tokenisation?
It replaces the card number with a token. It looks like any other code: even if someone sees it, they cannot derive the card. The real number stays in our vault, not on your servers.
Not encryption
With encryption the card number stays in your systems. With tokenisation you get a random token in its place. It cannot be reversed without the vault.
Fewer PCI obligations
If your systems hold only the token, not the card number, PCI obligations drop significantly. Many move from hundreds of controls (SAQ D) to a few dozen (SAQ A).
Works with any PSP
Use the same token for subscriptions, refunds or switching processors. You do not need to ask the customer for their card again when you change provider.
// 1. Customer enters card
// 2. Only the token stays in your systems
// 3. Card number: never on your servers
PCI DSS
Level 1 certified
AES-256
Encrypted data in vault
100% EU
Data in Europe only
< 50ms
Average API response
Three types of tokens compared
Network tokens, gateway tokens and PCI Proxy tokens are not the same thing. They differ in portability, PCI obligations and freedom to choose your processor.
| Feature | Network Token | Gateway Token | PCI Proxy Token RECOMMENDED |
|---|---|---|---|
| Issued by | Schemes (Visa, Mastercard) | Your PSP / gateway | PCI Proxy (independent) |
| PSP portability | Scheme only | No, vendor lock-in | Any PSP |
| Automatic card updates | Yes, automatic update | Gateway dependent | Yes |
| Reduces PCI obligations | Little | Little | A lot |
| Works over the phone too | E-commerce only | E-commerce only | E-commerce, phone, API |
What a token can look like
The format depends on how you want to use it in your back office or database. We help you choose the right one.
// Original card number
"4111 xxxx xxxx 1234"
// Token output
"4111 8273 6540 1234"
↑ same shape, middle digits changed
Same shape as the card number
Same length as the card number. You can store it in columns you already use, without changing the database.
// Original card number
"5412 7512 3456 7890"
// Token output
"tok_eu_a3f9b2c14d8e"
↑ prefix + random string
Random code
Strings like tok_eu_ with no link to the card number. Harder to spot patterns or guess anything.
// Original card number (19 digits)
"3714 496353 98431"
// Leading digits for the scheme
"3714 4963 7f2a 9c1b 8e4d"
↑ know Visa or Mastercard, rest is random
Leading digits for the scheme
Keep the first digits to identify Visa, Mastercard and similar. The rest is random and secure.
Where we keep the card safe
Here we store the mapping between token and card number. It is isolated, encrypted and PCI DSS Level 1 certified. You do not manage it — we do.
Layer 1
Network Segmentation
Separate network from the rest. No direct internet access. Smaller attack surface.
Layer 2
Encrypted data at rest
Every card number is encrypted before storage. Keys stay in dedicated hardware, never exposed in plain text.
Layer 3
Protected keys
Automatic key rotation. Access only for those who truly need it, with dual control.
Layer 4
Tracked access
Every vault operation is logged: who, when, from where. Immutable logs for PCI audits.
Data in the EU only
Everything stays in European data centres. Card data never leaves the European Union. GDPR compliance and European bank requirements.
The same token with any processor
Our tokens are not tied to Stripe, Adyen or Nexi. Use them with whoever you want, whenever you want.
1 Token
One token, all the processors you need
∞
PSPs supported
0
Cards to re-collect
100%
Portability
Switch PSP without asking for the card again
Zero disruptionMove to another processor for better costs or rates: tokens stay valid. You do not lose saved cards.
Multiple processors, one token
RoutingSend the payment to the PSP you prefer by region or scheme. We retrieve the card number only at payment time.
Subscriptions and recurring payments
Card updatedSave the token on the first payment and reuse it every month. Even if the card is reissued, the token stays valid.
Refunds and chargebacks
TrackingUse the same token to refund, even if the original payment was on another PSP. Everything logged for audits and disputes.
When you need the card number
Only authorised parties can retrieve the card from the vault, and only when truly needed. Every access is logged.
4
Active layers
0
Unauthorised access
Role-based permissions
Least privilegeOnly API keys with explicit permission can retrieve the card number. No default access.
Approved IPs only
NetworkRequests only from addresses you have authorised. Everything else is blocked and flagged.
Short time window
Time limitedPermission lasts a few seconds. Once expired, a new authenticated request is required.
Log of every access
AuditWe record who requested the card, when and from where. Logs retained for PCI audits.
Network token vs PCI Proxy token
Not all tokens are equal. The choice affects PCI obligations, freedom to switch PSP and channels you can use.
Fewer PCI obligations · network token
~30%
Fewer PCI obligations · PCI Proxy
up to 95%
PSP portability
∞ PSPs
| Dimension | Network Token (Visa/MC) | PCI Proxy Token RECOMMENDED |
|---|---|---|
| Issued by | Payment schemes (Visa, Mastercard) | PCI Proxy (independent) |
| Where it acts | Only in Visa/Mastercard transactions | In your systems: instead of the card number |
| PSP portability | Scheme-dependent | Any PSP |
| Reduces PCI obligations | Little | A lot |
| Works over the phone | No | Yes |
| Storage | Scheme vault | Vault of your choice (EU) |
Frequently asked questions
Tokenisation, encryption, vault and switching PSP: short answers.
01 What is the difference between tokenisation and encryption?
With encryption the card number stays in your systems: with the right key it can be recovered. Tokenisation replaces it with a random token that cannot be reversed without the vault. For PCI, encrypted data is still card data; well-implemented tokens are not.
02 Can I reuse tokens with different PSPs?
With gateway tokens you stay tied to a single PSP: if you switch providers, you must ask the customer for their card again. With PCI Proxy you use the same token with any processor. Switch provider without losing saved cards.
03 How does the vault protect stored card data?
The card stays in our PCI DSS Level 1 certified vault, encrypted and protected. Only those with the right credentials can retrieve it, and every access is logged. Data stays in the EU, monitored 24/7.
Ready to use tokens instead of the card number?
See how to integrate PCI Proxy into your payment flows, or read how it reduces PCI obligations.