Tokenization

Tokenization replaces sensitive data (card numbers, account numbers) with random strings (tokens) that cannot be reverse-engineered. Token-to-data mapping exists only on secure token servers.

In QR code payments, the displayed QR code contains a temporary token, not actual card numbers. The POS reads the token, sends it through the payment network, and the token server converts it to the real card number for processing.

Even if a QR code is photographed or screenshots leak, the token cannot recover card numbers. Time-limited tokens prevent reuse of expired QR codes.

Unlike encryption (reversible with keys), tokenization has no mathematical relationship between token and original data. Systems handling only tokens can be excluded from PCI DSS scope, significantly reducing compliance costs.