What is the difference between virtual cards and tokenized cards?

Image of virtual cards
Alengo courtesy of iStock
As new ways to pay proliferate — from digital wallets to cards that let you pay with cryptocurrency — it’s easy to get confused by the nuances between different payment instruments. In this post, we’ll explain how virtual cards differ from tokenized cards.

Virtual cards are regular payment cards reduced to their 16-digit primary account numbers (PAN). A fast and secure way to pay vendors and workers, virtual cards have been part of the payments landscape for almost twenty years. They were first developed in Dublin, Ireland by Orbiscom, a payment processing company that marketed them as “controlled payment numbers.” Unlike traditional regular payment cards, Orbiscom’s virtual cards could be limited to use at a specific merchant and set to expire after a limited number of transactions.

Over the years, virtual card controls have become more fine-grained. For example, virtual cards created on a modern card issuing platform come with dynamic spend controls that limit authorizations to specific timeframes, geolocations, amounts, merchant types, and more. These controls can also be adjusted as needed and in real time.

According to Juniper Research, the volume of virtual card transactions will rise from $1.6 trillion in 2020 to $5 trillion in 2025.

Like virtual cards, tokenized cards do not exist in a physical form. Unlike virtual cards, however, tokenized cards are not identified by a PAN. They are instead identified by a substitute string known as a token.

Both regular plastic and metal payment cards and virtual cards must be “tokenized” before they can be inserted into a digital wallet like Apple Pay, Google Pay, or Samsung Pay. Tokenization happens behind the scenes when consumers add cards to their digital wallets by entering their PAN or taking a picture of it. We explain how the PAN is replaced by a token in our guide Digital wallets, modern cards, and tokenization: what you need to know.

The advantage of tokenized cards is that they can be very difficult to misuse, even if they fall into the wrong hands.

Thanks to tokenization, your personal information is much less likely to be compromised when you use a digital wallet than when you pay with a regular credit card. That is because only the token is stored in the merchant’s database — your PAN remains protected.

While tokenization was introduced in support of digital wallets targeted at consumers, commercial enterprises have also begun tokenizing payments, both to increase security and as a way to provision cards directly to a digital wallet. Compared to encryption, which is another popular way to protect payment information, tokenization is low-cost, flexible, and offers end-to-end security.

Tokenization can also be combined with virtual cards for ultimate protection and control. A single-use virtual card that is authorized to pay a specific merchant a predetermined amount, and that is also tokenized to boot, has value only in the context of that one specific transaction. For firms with elevated security concerns, tokenized virtual cards may be the ideal way to pay.