← Glossary·Security

Tokenisation

PCI DSS

Replacing sensitive data (typically PAN) with a non-sensitive surrogate value (token).

Tokenisation replaces sensitive data — most commonly the Primary Account Number (PAN) under PCI DSS — with a non-sensitive surrogate token that has no exploitable value if breached. Detokenisation requires access to the secure token vault.

Why it matters
Tokenisation dramatically shrinks PCI scope (SAQ-A-EP instead of SAQ-D) and is the standard scope-reduction strategy.

Related terms

Cardholder Data (CHD)
PAN — alone or together with cardholder name, expiration, service code — defined by PCI DSS.
CDE (Cardholder Data Environment)
The people, processes, and technology that store, process, or transmit cardholder data — and connected systems.
Encryption at Rest
Cryptographic protection of stored data — typically AES-256 with KMS-managed keys.

Does your program actually cover Tokenisation?

Run a free ComplianceIQ audit against PCI DSS and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free PCI DSS auditBack to glossary