What tokenization does
Tokenization replaces a sensitive card number with a non sensitive token that has no exploitable value on its own. The real number lives in a hardened vault, and only the vault can map a token back to the card.
Token versus encryption
Encryption is reversible with a key, so the ciphertext still carries the secret. A token is just a reference with no mathematical link to the card, so a leaked token alone is useless.
How charges work
Your application stores only the token. To charge, you send the token to the vault or processor, which resolves it to the real card and completes the payment. Your systems never handle raw numbers.
Operational guidance
- Keep the vault as the only system holding real card data.
- Make tokens format preserving if downstream code expects card shapes.
- Restrict who can request detokenization with strict access controls.
Key idea
Tokenization swaps a card for a valueless reference held in a vault, so leaked tokens reveal no real card data.