Tokenization

Tokenization replaces a card number with a random token, so a business can charge a card without ever storing the real number.

Tokenization is the practice of replacing sensitive card data — the actual card number — with a random, meaningless stand-in called a token. The token can be stored and used to charge the card again, but it's worthless to a thief because it maps back to the real number only inside the processor's secure vault. It's the mechanism that lets a business save a card for future billing without ever touching the raw digits.

How it works

  1. At checkout, the card number is captured by the payment gateway and sent to the processor.
  2. The processor stores the real number in a secure vault and returns a token — often exposed as a saved payment method object.
  3. To charge the card later, the business references the token, and the processor swaps it for the real number internally.

In Stripe, saving a card with a SetupIntent produces exactly this kind of reusable token.

Why it matters

Tokenization is what makes recurring billing both safe and practical.

  • PCI scope — because the raw card number never lands on your servers, your PCI DSS compliance burden shrinks dramatically.
  • Recurring charges — a token lets a subscription renew month after month without asking the customer to re-enter their card.
  • Breach resilience — a stolen token can't be used outside your account, so a leak is far less damaging than exposed card numbers.

The practical result is that you can build one-click checkout and hands-off renewals while the actual card data stays locked in the processor's vault, never in your database.

Related terms

Updated July 6, 2026