Payment Token


Payment Token are surrogate Bank Card Number values that replace the Primary Account Number in the payments ecosystem.

The Payment Token is the Bank Card Number, along with possibly some other information, from the Issuer Bank as a result of the Card-Emulation process.

Payment Tokens are used to reduce the risks inherent to the transfer of sensitive payment data such as the Primary Account Number.

Generation of the tokens is done by the Token Service Provider or TSP.

During the payment process Payment Token is

  • sent from the handset to the POS device
  • then to the Card Issuer for transaction authorization
  • the TSP also provides a service to map back the PAN from the Payment Token used in the transaction, which is sent over the Payment Network.

This way, the unsecure token space and secure PAN space are distinct areas.

The Payment Token Framework is published in 2014 by EMVCo Tokenization.

A Payment Token number does not reveal to the Merchant the PAN and possibly other information about the purchaser.

The Payment Token is a surrogate Bank Card Number for a PAN that is a valid 13 to 19-digit numeric value that must pass Luhn Check Digit and other CVM of an account number.

The Payment Tokens must not have the same value as or conflict with a real PAN. Payment Token can be:

  • Limited in time-to-live
  • Limited by number of uses.
  • Capped by maximum amount.
  • ...

Both Apple Pay and Google Wallet utilize a Payment Token in their wallet process, however, they are handled differently.

More Information#

There might be more information for this subject on one of the following: