Tokenization and virtual cards: How one-time payment numbers (PANs) protect merchants from data leaks

[Professor]

Abstract: A detailed analysis of the technology for replacing a real card number (PAN) with a unique token. Explanation of different models: Visa Token Service, Mastercard Digital Enablement Service (MDES). Examples of use in Apple Pay/Google Pay and in virtual card issuance services for online payments.

Introduction: The End of the Era of the Eternal Number​

Imagine you have a single key to every door in your life: your home, your car, your bank vault, your office. You leave a copy of it with everyone who provides you with a service: your hairdresser, your taxi driver, your online store courier. If the key is stolen or copied from any of them, you risk losing everything. This is exactly how our online bank cards worked for decades: we transmitted the real, unchangeable card number (PAN – Primary Account Number) to thousands of merchants, trusting each of them to keep it secret.

Massive data leaks from compromised stores proved that this trust was an illusion. The answer to this fundamental vulnerability is a technology that changes the very essence of card data – tokenization. It transforms the vulnerable “eternal key” into one-time digital passes that are useless in the wrong hands. This article is a deep dive into how this technology has quietly revolutionized online payment security.

Chapter 1. The Essence of Tokenization: PAN is Dying, Long Live the Token!​

Tokenization is the process of replacing sensitive data (like a card number) with a unique digital identifier that has no intrinsic value — a token.

How it works (basic diagram):

1. Initial data: You have a card with PAN 1234 5678 9012 3456.
2. Token request: When you link a card to Apple Pay or create a virtual card, your bank (through the payment system) generates a unique token, for example, 9876 5432 1098 7654. This is a 16-digit number that looks like a regular card number.
3. Link in storage: The payment system (Visa, Mastercard) stores in its highly secure token storage (Token Vault) an unbreakable link: Token 9876... → PAN 1234.... The bank also knows this link.
4. Using a token: Instead of a PAN, a token 9876 is transferred to the online store or terminal.... The store sees and stores the token, not your real PAN.

Key principle: A token is useless without context.

• If a token is stolen from a store's database, the fraudster will not be able to use it to pay elsewhere because:
  • It is “tied” to a specific device (your phone) or a specific seller.
  • For its authorization, additional verification is required (biometrics, device cryptogram).
  • It can be cancelled instantly without affecting the main card.

Chapter 2. Security Architecture: How Token Ecosystems Work​

Payment systems have developed entire ecosystems to manage the token lifecycle.

1. Visa Token Service (VTS):
This is Visa's global platform. Its key components are:

• Token Requestor: This could be a device manufacturer (Apple, Samsung), a bank, an app developer (Uber, Netflix), or a major merchant (Amazon). They request a token for their service.
• Token Vault: Visa's centralized, highly secure database that stores all token↔PAN relationships. It's the "source of truth."
• Token Assurance: Visa assigns a level (from 1 to 5) to the token, indicating how securely the cardholder's identity was verified during linking. A higher level gives transactions greater credibility.

2. Mastercard Digital Enablement Service (MDES):
A similar ecosystem from Mastercard. MDES also provides an API for tokenization and manages the token lifecycle, ensuring they are linked to devices and apps.

The issuing bank plays a key role: the bank that issued your card must be connected to these services. When you add your card, it verifies your identity (usually via 3-D Secure in its app) and authorizes Visa/Mastercard to issue a token.

Chapter 3. Use Cases: From Smartphones to Disposable Cards​

Tokenization manifests itself in our lives in two main forms.

1. Contactless payments from devices (Apple Pay, Google Pay, Samsung Pay) — Device-Based Tokens.

• Process: When you add a card to your wallet, your iPhone requests a unique Device Account Number (DAN) from the bank via VTS/MDES — this is the token.
• Features: This token is permanently written into the phone's secure chip (Secure Element). It is tied specifically to this device.
• Payment: When you hold your phone to the terminal, the chip generates a unique cryptogram for each transaction based on this token. It is physically impossible to steal the token from the chip.
• Advantages: Even if the terminal is hacked, it will only contain a one-time cryptogram for a token that works only with that phone. PAN leakage is completely eliminated.

2. Virtual cards for online payments – Merchant-Based or Single-Use Tokens.
This is the next level of security for any online purchases.

• Merchant-Specific Card: A bank or service (such as a browser-based one) can issue a virtual card with a token that only works at one specific store (Amazon, Spotify). Even if the token leaks from Amazon, it won't work on Steam.
• Single-Use Virtual Card: The most secure option. A new token (new number, CVV, expiration date) is generated for each purchase. After one successful payment, the card self-destructs. This is ideal protection against theft.
• What it looks like for the user: In the bank's app, you tap "Create a virtual card for AliExpress," receive a number, expiration date, and CVV, use them once, and forget about them. This number is no longer active anywhere.

Chapter 4. Benefits and Victories: What Has Tokenization Changed?​

1. The end of mass PAN leaks: A major victory. Merchants' databases now contain tokens, not actual card numbers. A hack of a merchant's database no longer means a compromise of your funds.
2. Simplifying PCI DSS compliance: This strict security standard requires merchants to invest heavily in protecting cardholder data. If a store stores tokens rather than PANs, its PCI DSS obligations and risks are significantly reduced, as the token is not considered sensitive information.
3. Improved user experience: Linking your card to the new service is a one-click process using Apple Pay or similar services, without entering your card number, expiration date, or CVV. It's faster and more secure.
4. Anti-carding: Fraudsters who buy card dumps (stolen PANs) on the black market are increasingly receiving useless tokens from old leaks or one-time numbers instead.
5. Control and management: In the bank's app, you can see in real time which services your card (or rather, its tokens) is linked to, and instantly revoke access to any of them without blocking your physical card.

Chapter 5. The Future: Ubiquitous Tokenization and New Horizons​

Tokenization isn't standing still. Its logic extends further:

• Tokenization of recurring (subscription) payments: The problem is that when the primary card is changed, all subscriptions are lost. Tokenization allows you to create a permanent token for the subscription, which the bank can automatically update when the card is reissued.
• Tokenization in B2B and open banking: Securely exchange payment details between business applications using tokens instead of real account data.
• Tokenization of any asset: The technology can be used to replace any confidential data — passport numbers, medical records — anywhere data needs to be used but cannot be compromised.

Conclusion: Invisible Armor for Digital Life​

Tokenization is a rare case where a security technology doesn't simply add a new step, but fundamentally changes the rules of the game, making the attack itself pointless. It recognizes a simple fact: we can't guarantee that data will never leak. But we can guarantee that leaked data will be worthless.

We're moving from an era where the value was the card number itself to an era where the value is the right to use a token, verified by our face, fingerprint, or trusted device.

Every time you pay for a purchase with a tap of your phone or use a disposable number from a banking app, you reap the benefits of this quiet revolution. Your real PAN remains absolutely secure, protected by layers of cryptography and an architecture that's orders of magnitude harder to hack than the database of a random online store. Tokenization doesn't ask you to be vigilant — it simply makes the world secure by default. And that's its greatest strength.