Skip to main content

What Is Tokenization?

Tokenization replaces sensitive card data with a non-sensitive substitute: a token. The token has no mathematical relationship to the original card number and cannot be reversed without access to PCI Booking’s secure vault. When you tokenize a card through PCI Booking, the real card data is encrypted and stored in our PCI DSS Level 1 certified environment. You receive a token that you can safely store, log, and send through any system without PCI compliance concerns. For a step-by-step walkthrough of how tokenization fits into a real integration, see How PCI Booking Works.

Why Tokenization Matters for PCI DSS

Any system that stores, processes, or transmits cardholder data falls under PCI DSS scope. This means audits, penetration testing, encryption requirements, access controls, and ongoing monitoring. Tokenization eliminates this burden by ensuring your systems never handle real card data. Instead, you work exclusively with tokens that have no value if intercepted or leaked.

Tokenization vs. Encryption

Encryption transforms card data into ciphertext that can be reversed with the correct key. The encrypted data still represents the original card and must be protected under PCI DSS. Tokenization, by contrast, replaces card data with a completely unrelated value. There is no key that converts a token back to a card number. Detokenization can only happen inside PCI Booking’s secure vault.

How Tokens Work

A PCI Booking token:
  • Uniquely identifies a stored card
  • Can be used in any API call that requires a card reference
  • Is safe to store in your database, pass through APIs, or log
  • Cannot be used to reconstruct the original card number
  • Can only be accessed by the customer that created it
  • Takes the form of a URI (e.g., /cards/abc123) that you reference in subsequent API calls

Detokenization: The Other Side

Detokenization is the reverse process. It replaces a token with real card data to send it to a destination. This is how card data flows OUT of PCI Booking. Every operation that requires real card data is detokenization:
  • Processing a payment. PCI Booking replaces the token with card data and sends it to a PSP via UPG.
  • Relaying card data. Token replacement injects card data into HTTP requests or batch files.
  • Displaying a card. Secure iframe renders the real card number to an authorized user.
Tokenization gets cards IN. Detokenization gets cards OUT. Together, they form the complete lifecycle of card data in PCI Booking.

Token Lifecycle

  1. Created. Card is captured and tokenized through any supported capture method (hosted form, Card By Link, API, or response parsing).
  2. Active. Token is available for queries, updates, and detokenization. You can check metadata, update the expiration date, manage CVV retention, or duplicate the token. See Manage Tokens for all available operations.
  3. Expired. Card expiry has passed. The token still exists and can be queried, but the card may no longer be accepted for charges by the payment processor.
  4. Deleted. Token and all associated card data, CVV, and 3DS data are permanently and irrecoverably removed from the vault.

Get Started

Learn More