In May 2024, Ticketmaster confirmed that hackers had siphoned personal and payment data tied to roughly 560 million customer records. The breach followed a depressingly familiar script: attackers found a way into a company’s cloud storage, copied a trove of card numbers, and the stolen data surfaced for sale on a dark-web forum within weeks. For the cardholders caught up in it, the drill was the same one consumers have repeated since the Target breach of 2013: cancel the card, wait for a replacement, update every subscription.
The payments industry has spent the last decade engineering a way off that treadmill. The fix is called tokenization, and by mid-2026 it is embedded in most of the places Americans already pay online, even if the majority of shoppers have never heard the term.
How tokenization actually works
The idea is deceptively simple. When you check out at a participating merchant or tap “pay” inside a mobile wallet, the payment network intercepts your real 16-digit card number before it ever reaches the retailer. In its place, the card-issuing bank generates a unique numeric alias, called a token, that is valid only for that specific transaction, device, or merchant relationship. The token travels through the authorization network exactly the way a normal card number would, but if a hacker later breaks into the merchant’s database, all they find is a string of digits that cannot be reused anywhere else.
Visa formalized the approach with its Visa Token Service (VTS), built on the EMVCo tokenization specification that the four major U.S. networks developed jointly. Every token request routes through the card-issuing bank, which decides in real time whether to approve the transaction and mints the replacement number on the spot. Because the issuer controls both creation and validation, a copied token is worthless at a different merchant or on a later date.
Mastercard launched its parallel system, the Mastercard Digital Enablement Service (MDES), on the same EMVCo framework. American Express and Discover built their own token platforms as well. The shared standard means a single checkout integration can support tokens from all four networks, which has been a major driver of merchant adoption.
The scale is no longer experimental. Visa disclosed in its fiscal-year 2024 earnings materials that more than 10 billion tokens had been provisioned globally across wallets, merchants, and connected devices. Mastercard has reported similar momentum, noting that tokenized transactions now account for a growing majority of its e-commerce volume.
Where consumers already encounter it
If you have ever paid with Apple Pay, Google Pay, or Samsung Pay, your transaction was tokenized. Each of those wallets stores a device-specific token rather than your actual card number, which is one reason losing your phone is far less dangerous than losing a physical card. The token on the device is cryptographically locked to that hardware and cannot be cloned onto another phone.
Beyond mobile wallets, several large issuers have built virtual-card-number generators directly into their banking apps. Capital One’s Eno browser extension creates a unique virtual number for each online merchant, so your real card number never touches the retailer’s system. Citi has offered virtual account numbers through its online portal, though availability has varied by card product and the feature has been scaled back for some accounts. Chase has introduced virtual card numbers for select products, though the rollout remains limited compared to Capital One’s broader implementation.
A newer layer sits on top of all of this: Click to Pay, the EMVCo-backed guest-checkout experience that Visa, Mastercard, American Express, and Discover have been pushing aggressively since 2024. When a shopper uses Click to Pay on a participating site, the system tokenizes the transaction behind the scenes without requiring the consumer to type in a full card number at all. It is designed to replace the old “card number in a form field” model entirely, and major merchants including Nike, Lululemon, and several airline booking engines have adopted it.
The net effect: a large and growing share of online card transactions in the United States now flows through some form of tokenization, whether the shopper actively chose it or the wallet handled it automatically.
What tokenization does and does not prevent
Tokenization is engineered to neutralize one specific threat: the mass theft of stored card numbers from a merchant’s servers. In that scenario, the stolen tokens are expired or merchant-locked and therefore useless, which removes the incentive for attackers to target retailer databases in the first place.
It does not, however, stop every kind of card fraud. A phishing email that tricks you into entering your real card number on a fake checkout page bypasses tokenization entirely, because the criminal captures the actual credentials before the token layer ever activates. Social-engineering attacks, account-takeover schemes, and fraud committed by someone who physically possesses your card are all outside the scope of what a token can block.
Visa has published data suggesting that tokenized transactions see significantly lower fraud rates than traditional card-not-present transactions. In investor presentations, the company has attributed this partly to the token itself and partly to the stronger authentication that typically accompanies it: biometric verification or a one-time passcode when a card is first added to a wallet or device. The combination of a disposable credential and a verified identity check covers more of the fraud surface than either measure alone.
Still, no issuer has released a fully audited, before-and-after breakdown isolating tokenization’s effect from other anti-fraud improvements deployed over the same period. The directional evidence is strong, but precise numbers remain proprietary.
The subscription wrinkle and other practical gaps
Services that bill monthly need a persistent credential, not a single-use token. Networks handle this with “card-on-file” tokens that are tied to a specific merchant and can be reused for recurring charges but are still worthless if stolen and presented elsewhere. For consumers, this creates a convenience that can cut both ways: if you cancel a card and receive a new number, the token mapping can be updated behind the scenes through a process Visa calls “account updater.” Your Netflix subscription keeps working without interruption, which is great, but it can also make it harder to intentionally cut off a merchant you no longer want to pay. If you need to stop a recurring charge, contact the merchant directly or ask your issuer to block that specific token.
Chargebacks and disputes work the same way with tokenized transactions as with traditional ones. The issuer holds the mapping between the token and your real account, so when you contest a charge, the bank can trace it back without any extra steps on your part.
The privacy trade-off no one talks about
Because the issuing bank and the network hold the mapping between every token and the real account, they gain a detailed, merchant-level view of a cardholder’s online spending. Visa’s and Mastercard’s published materials describe this data as a fraud-prevention tool, but neither network has issued a standalone policy explicitly ruling out its use for marketing analytics, ad targeting, or credit-risk modeling.
This matters in the context of the Consumer Financial Protection Bureau’s Section 1033 open-banking rule, finalized in late 2024, which establishes consumers’ rights to access and control their financial data. The rule focuses on data portability rather than tokenization specifically, but consumer-advocacy groups have argued that the granular transaction data generated by token systems should be subject to the same transparency and consent requirements. As of June 2026, no specific regulation targeting tokenization data has been proposed, but the regulatory conversation is active and worth watching.
How to put tokenization to work for you today
You do not need to wait for regulators or the industry to sort out every open question. A few concrete steps put the technology to work immediately:
- Default to a mobile wallet at checkout. Apple Pay, Google Pay, and Samsung Pay tokenize every transaction automatically. If a retailer accepts contactless or in-app payments, choosing the wallet over manual card entry gives you the protection without any extra effort.
- Use Click to Pay when you see it. On sites that support the EMVCo guest-checkout experience, Click to Pay tokenizes your card behind the scenes and eliminates the need to type your full number into a form field.
- Check whether your issuer offers virtual card numbers. Capital One’s Eno extension is the most mature option, but other issuers are expanding their offerings. Use a disposable number for any merchant you do not fully trust or any one-time purchase.
- Turn on real-time transaction alerts. Even with tokenization, instant notifications let you spot unauthorized charges within minutes rather than days.
- Do not treat tokens as a complete defense. Keep your operating system and browser updated, use unique passwords for shopping accounts, and stay skeptical of emails or texts asking you to “verify” card details. Tokenization protects the card number in transit and at rest; it cannot protect you from handing your credentials to a convincing fake.
Why your real card number should stay in your wallet
Tokenization is not going to eliminate card fraud. Phishing, account takeovers, and old-fashioned social engineering will persist as long as humans are involved in the payment chain. What tokenization does is remove the single largest honeypot that has fueled mass breaches for more than a decade: the merchant database full of reusable card numbers.
The technology has moved well past the pilot stage. It is the default behavior inside the wallets and banking apps that millions of Americans already use, and the rollout of Click to Pay is extending it to ordinary web checkout forms. For consumers, the practical takeaway is straightforward: every time you have the option to pay with a wallet, a virtual card number, or Click to Pay instead of typing your real 16 digits into a form, take it. The fewer places your actual account number lives, the less damage any single breach can do.
