Tokenization
Tokenization replaces a card number with a random token, so a business can charge a card without ever storing the real number.
Tokenization is the practice of replacing sensitive card data — the actual card number — with a random, meaningless stand-in called a token. The token can be stored and used to charge the card again, but it's worthless to a thief because it maps back to the real number only inside the processor's secure vault. It's the mechanism that lets a business save a card for future billing without ever touching the raw digits.
How it works
- At checkout, the card number is captured by the payment gateway and sent to the processor.
- The processor stores the real number in a secure vault and returns a token — often exposed as a saved payment method object.
- To charge the card later, the business references the token, and the processor swaps it for the real number internally.
In Stripe, saving a card with a SetupIntent produces exactly this kind of reusable token.
Why it matters
Tokenization is what makes recurring billing both safe and practical.
- PCI scope — because the raw card number never lands on your servers, your PCI DSS compliance burden shrinks dramatically.
- Recurring charges — a token lets a subscription renew month after month without asking the customer to re-enter their card.
- Breach resilience — a stolen token can't be used outside your account, so a leak is far less damaging than exposed card numbers.
The practical result is that you can build one-click checkout and hands-off renewals while the actual card data stays locked in the processor's vault, never in your database.
Related terms
Updated July 6, 2026