Tokenisation 2.0: Are we ready for the next generation of payment security?

by James Hurren, data journalist, TPA

Share this post

Tokenisation is now a core enabler of secure, interoperable digital payments—powering embedded finance, asset tokenisation, and evolving identity flows.

Once a system for masking sensitive data, tokenisation has evolved into a foundational technology for enabling secure, interoperable, and scalable digital payments. The growing prevalence of digital wallets, embedded finance, and increasingly complex payment ecosystems means tokenisation is no longer a tactical upgrade but a strategic imperative.

This foundational technology is reshaping how identity, consent, and value are managed in the digital economy, from safeguarding transactions to enabling new economic models. However, with its growing role comes increasing complexity, particularly in terms of integration, regulation, and the architecture of future payment flows.

The necessity of tokenisation in digital payments

The traditional view of tokenisation as a fraud mitigation tool is outdated. While still central to security, modern tokenisation addresses broader demands: interoperability across platforms, reduced operational costs, and improved customer experience. This shift is especially visible in the adoption of network tokenisation—a model introduced by major card networks like Visa and Mastercard, where card details are replaced with dynamic, network-managed tokens.

Antony Lane, sales account manager at G+D, corroborates this, stating G+D increasingly uses tokenisation to improve in-app provisioning, simplify lifecycle credential management, and personalise user journeys across devices and channels.

A 2024 Statista survey of 562 merchants worldwide found that 60% were using one or both of network and gateway tokenisation, demonstrating the prevalence of this technology in the industry. Unlike static gateway or acquirer tokens, network tokens adapt in real time to changes such as card reissuance or expiry, ensuring continuity in payment flows. For merchants, this means fewer failed transactions, reduced reliance on account updater tools, and lower churn rates, particularly in recurring billing models such as subscriptions.

Moreover, network tokenisation reduces the regulatory burden by eliminating the need to store sensitive card data, supporting the Payment Card Industry Data Security Standard (PCI DSS) compliance and lowering the risk of data breaches. Many merchants also benefit from lower interchange and network fees for tokenised transactions, making it a cost-effective solution as well as a secure one.

Perhaps most critically, tokenisation enables interoperability, a prerequisite for any payment system that hopes to scale across borders, devices, and partners. In an era of API-first financial services and modular commerce, tokenisation provides the connective tissue between disparate systems, simplifying everything from customer onboarding to transaction orchestration.

Tokenisation and the embedded finance boom

Embedded finance is reshaping the consumer experience by integrating financial services into e-commerce platforms and apps. As a result, tokenisation is becoming essential for maintaining trust and fluidity. Whether enabling Buy Now, Pay Later (BNPL) services, digital wallets, or invisible checkouts, tokenisation ensures that sensitive credentials are protected without compromising speed or user experience.

In embedded ecosystems, payments are increasingly abstracted from the user. This places new pressure on back-end systems to manage token lifecycles, validate identities, and orchestrate consent across multiple entities. Tokenisation plays a critical role here—not only securing credentials but also simplifying their storage and reuse across different customer touchpoints.
Token frameworks can also accelerate partner integration. When onboarding new service providers, fintechs, or merchant partners, a token-based architecture allows for quicker, cleaner integration by decoupling sensitive data from transaction logic. This enables rapid scaling of new payment use cases, without duplicating risk exposure.

Moreover, as super apps and embedded ecosystems gain traction in emerging markets, tokenisation offers “a scalable security model that can flex with the complexity of multi-role, multi-wallet environments,” notes Christine Blattes, digital payments, at Thales. She argues that “the pan-centric model is no longer sustainable,” particularly as tokenisation enables “greater flexibility and interoperability,” giving consumers “more control and security over their payment transactions” and access to a wider range of options—“from virtual cards to branded mobile wallets.” This transformation is further accelerated by the rise of Passkey authentication, which, as Blattes put it, “enables secure and frictionless payments.” The traditional PAN is steadily becoming obsolete, a trend reflected in the growing use of numberless cards and online tools such as click to pay, which “enables one-click transactions without requiring card details.” In short, payment credentials are being redefined, with tokens moving to the forefront of secure, seamless transactions.

“Tokenisation offers a scalable security model that can flex with the complexity of multi-role, multi-wallet environments.”

– Christine Blattes, digital payments, at Thales

Beyond card payments: The rise of asset tokenisation

While network tokenisation optimises transaction security and scale, asset tokenisation redefines how value itself is represented and exchanged. Using blockchain infrastructure, real-world assets (RWAs) – such as real estate, equity, and intellectual property – can be digitised, fractionalised, and traded globally with greater transparency and efficiency.

Asset tokenisation consolidates multiple functions into a single distributed ledger, including issuance, trading, settlement, and custody. This reduces reliance on fragmented systems and enables new forms of liquidity for previously illiquid assets. For instance, a retail investor in Singapore could feasibly purchase a tokenised share of a New York building without navigating traditional legal, regulatory, or technological barriers.

This is what distinguishes tokenisation from being solely a security measure: its enabling of cross-border capital flows, fractional ownership models, and financial inclusion. It also introduces new expectations for transparency, as blockchain-based token records can provide investors with full visibility into asset histories, rights, and performance.

Ignacio Gironella Merino, head of sales Europe at Paymentology and global sales director at MeaWallet at Paymentology, notes how tokenisation has evolved from a defensive security measure into the backbone of modern payments architecture: “It’s enabling a fundamental rethink of how credentials, identity, and value move through digital commerce, underpinning everything from digital wallets to subscription services. Increasingly, it determines which institutions can compete in a token-driven ecosystem.”

“Tokenisation is enabling a fundamental rethink of how credentials, identity, and value move through digital commerce, underpinning everything from digital wallets to subscription services.”

– Ignacio Gironella Merino, head of sales Europe at Paymentology

It remains to be seen whether network and asset tokenisation remain distinct technical paradigms or eventually converge into a unified architecture that supports both transactional and representational value. While the technologies differ today, the long-term trajectory may hinge on standardisation, regulatory harmonisation, and shared infrastructure.
Regulatory considerations and data sovereignty

Tokenisation, playing an increasingly central role in payments infrastructure, has brought attention from regulators. Frameworks like the Third Payment Services Directive (PSD3) in Europe, FedNow in the US, and ISO 20022 globally are reshaping how financial data is handled, mandating clearer rules on token lifecycle management, consent orchestration, and data portability.

Suddepta Das, director at Cohesive Architecture, notes the impact of each of the frameworks above:

  • PSD3 places greater emphasis on security, transparency, and control. This means tokenisation isn’t just about protecting data anymore—it’s also about giving consumers more visibility into how their payment credentials are used, and ensuring providers can demonstrate compliance at every step.
  • With FedNow enabling instant payments in the US, speed and reliability become non-negotiable. This influences how we manage token lifecycle events—like creation, refresh, or revocation—in real time, without slowing down the transaction. Tokens need to support high availability and consistent behaviour across systems that may settle in seconds, not days.
  • ISO 20022 encourages richer data exchange between financial institutions, and this also extends to tokens. As the ecosystem moves toward structured, standardised messaging, tokens must be able to carry—or at least work alongside—additional metadata, such as transaction purpose or customer identifier.

Tokenisation must also contend with data sovereignty laws that dictate where data can be stored, processed, and transferred. This is particularly relevant for cross-border tokens, which may represent users or assets that span multiple jurisdictions. For businesses, this introduces both a technical and legal challenge: how to design token systems that are compliant by default.

Global standard-setting bodies such as EMVCo have begun aligning specifications to ensure token interoperability across issuers, acquirers, and networks. However, gaps remain, particularly where national regulations exceed international norms. As such, enterprises deploying tokenisation at scale must invest in governance frameworks that can adapt dynamically to shifting compliance requirements.

As tokenisation volumes surge, financial institutions must grapple with more than just compliance; they face structural challenges in scaling data infrastructure to handle real-time, tokenised transactions across ecosystems.

Srinivasan notes that 35% of in-store and online transactions were processed via tokens in 2024, and that figure is expected to rise to 50% in 2025. Subsequently, financial institutions are facing a surge in both the volume and variety of data they must manage. “This growth not only puts pressure on their existing systems, which, while reliable, must adapt to handle greater volumes and enable real-time transaction processing, but also demands ongoing compliance with evolving regulatory mandates aimed at enhancing both customer experience and security.”

Rethinking identity in a token-based future

With tokenisation becoming integral to modern payments infrastructure, its role in identity management is expanding. Traditionally, identity verification and credential storage were separate from payment processes. Now, these elements are increasingly being tokenised themselves, from identity documents to biometric consent trails.

As card networks like Mastercard and Visa push forward with mandates to eliminate manual entry and password authentication, regulatory frameworks are expected to follow suit. In light of this, Gironella Merino sees tokenisation as inevitable: “Major card networks are making tokenisation mandatory, and leading organisations—from banks to tech platforms—are embedding tokenisation to deliver faster, safer, and more seamless payment experiences. Those that delay risk falling behind in an ecosystem that increasingly demands token-native infrastructure.”

Emerging technologies, such as oracles and verifiable credentials, are enabling more sophisticated identity flows, particularly in blockchain-based environments. Oracles can feed real-time, verified data into token ecosystems, ensuring integrity without centralising trust. This enables payment systems to manage both on-chain and off-chain identity events, supporting high-assurance use cases such as digital ID-linked payments or KYC-compliant wallet onboarding.

Federated and decentralised identity frameworks also benefit from tokenisation, which can enable secure, consent-based sharing of identity attributes without exposing the underlying data. This model holds particular promise in real-time payments and open banking environments, where data minimisation and user control are top priorities.

Challenges and the road ahead

Despite the promise, significant challenges remain. Interoperability across token systems—network-issued, blockchain-based, or proprietary—remains uneven. Merchants and payment service providers often juggle multiple token formats and platforms, adding complexity to reconciliation, reporting, and compliance.

Das considers token compatibility as one of the biggest issues in the market today. “It often goes unnoticed during regular operations but becomes a major operational challenge during business continuity or disaster recovery (DR) scenarios. While many ecosystem players promote their tokens as the best solution, especially for handling PSP failures, the reality is more complex. The further ‘left’ a token provider sits in the payment flow (closer to the cardholder or issuing bank), the greater the vendor lock-in. This makes it harder for businesses to switch providers later.”

Legacy infrastructure is another barrier. Many firms still operate on systems that weren’t designed with tokenisation in mind, requiring costly upgrades or middleware solutions. Education gaps also persist, not just among consumers but within organisations that struggle to frame tokenisation as more than just a technical feature.

Lastly, regulatory uncertainty continues to hamper more ambitious use cases, particularly in asset tokenisation. Until clearer guidance emerges on the legal status, custody, and redemption of digital assets, adoption will likely be fragmented and experimental.

Recognising the varied challenges of implementing tokenisation across multiple payment partners or geographies, Lane says, “Scaling tokenisation often requires harmonising APIs, supporting scheme certifications, and integrating with both global and domestic token service providers. Local compliance standards, such as data residency rules or customer consent regulations further shape these efforts.”

“Scaling tokenisation often requires harmonising APIs, supporting scheme certifications, and integrating with both global and domestic token service providers.”

– Antony Lane, sales account manager at G+D

Defining tokenisation 2.0

  • Where tokenisation conventionally focused on protecting card data in siloed systems, new applications of tokenisation address:
  • Interoperability across payment rails, ecosystems, and platforms
  • Orchestrated identity and consent at the transaction level
  • Programmable and composable tokens that represent not just payment credentials, but real-world and digital assets
  • Scalability in embedded finance, where tokens manage trust across multiple parties and systems in real time

This evolution reflects the growing need for tokenisation to support new business models, comply with evolving regulations, and embed security directly into the payment experience. On the development of tokenisation technology, Lane believes asset tokenisation and network tokenisation will ultimately converge into a unified architecture: “As digital identity, secure value exchange, and authentication frameworks mature, both domains will increasingly rely on shared infrastructures for verification, consent management, and interoperability. This is particularly relevant as central banks, fintechs, and platforms move toward integrated digital wallets that manage credentials, assets, and authorisation flows in one place.”

Das disagrees, citing the very different purposes for which asset tokenisation and network tokenisation are built. “Network tokenisation focuses on securing payment credentials—it’s about security, continuity, and compliance in day-to-day transactions. Asset tokenisation focuses on turning real-world or digital assets into digital tokens that can be owned, traded, or programmed with rules. It’s used more in the context of decentralised finance (DeFi), blockchain infrastructure, and capital markets.”

Readiness as a competitive advantage

Tokenisation 2.0 is integral to the architecture of modern payments. Whether enabling seamless embedded finance, unlocking asset liquidity, or navigating increasingly complex identity flows, tokenisation has become the infrastructure layer through which value, data, and trust flow.

Firms that treat tokenisation as a strategic enabler—rather than just a compliance checkbox—will be best positioned to scale securely, integrate rapidly, and adapt confidently to the future of digital payments.

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

Tokenisation reshapes digital payments, enhancing security and interoperability. Subscribe to Payments Review to read the full article.

Subscribe or become a member to continue reading

Already a subscriber or member? Please log in to continue

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?