Frequently Asked Question
What is the difference between “acquiring tokens”, “issuer tokens”, and “Payment Tokens”?
Each of these types of tokens replace the PAN with an alternative or surrogate value.
Acquiring tokens are created by the acquirer, merchant, or a merchant’s service provider after the cardholder presents their PAN and/or other payment credentials. Acquiring tokenization solutions are proprietary and are not based on an industry-standard approach to token generation, format, request or provisioning. Acquiring Tokens cannot be used for new authorizations. They can be used for card-on-file and recurring payments. The PCI Tokenization Product Security Guidelines offers guidance on acquiring tokens.
Issuer tokens, also known as virtual card numbers, are created by issuers and provide the means to reduce risk in specific use cases, including commercial card applications, as well as consumer-oriented services. These tokens resemble the PAN, so merchants and acquirers are unlikely to know that they are using a token .
Payment tokens are created by TSPs that are registered with EMVCo. Payment Tokens and their usage are defined by EMVCo in the EMVCo Technical Framework. Payment Tokens are issued to a cardholder in lieu of a PAN, and the cardholder presents the Payment Token to the merchant when making a purchase. During a Payment Token transaction, the merchant and acquirer do not receive or have access to the corresponding PAN.
 U.S. Payments Security Evolution and Strategic Road Map. Developed by the working groups of the Payments Security Taskforce, December 11, 2014.
Featured FAQ Articles
Most Recently Updated
Is a QSA Employee that designs, develops, or implements specific controls for a customer also permitted to assess those same controls?
What impact does the inclusion of UnionPay in PCI DSS documents have on an entity’s PCI DSS assessment?
Can a PFI Company perform subsequent PFI investigations for the same entity?