For years, high-risk merchants have been caught in a bind. They need to process card payments at scale, but regulators, acquirers, and card schemes view them with suspicion. The result is higher fees, rolling reserves, and stricter fraud thresholds. Against this backdrop, tokenisation has emerged as both a shield and, some would argue, a leash. It promises stronger security, reduced compliance headaches, and smoother transactions. Yet it also ties merchants more tightly to the very institutions that profit from their dependence.
Why tokenisation matters now?
At its core, tokenisation replaces a customer’s card number with a surrogate value. That value — the token — is useless if stolen, because only the secure vault can map it back to the real card data. For high-risk merchants, this shift means fewer systems fall under PCI DSS scope, and the chances of a breach making headlines are reduced.
But timing matters. Tokenisation has grown more central since the rollout of PCI DSS v4.0 and the FCA’s enforcement of Strong Customer Authentication (SCA). Merchants in sectors like gaming, nutraceuticals, and travel face more rigorous checks, but also greater exposure to fraud attempts. For them, tokens are less a luxury and more a survival mechanism.
How does it actually work?
The mechanics are straightforward. A customer submits their card details, which are immediately swapped for a token by a secure service. That token is then stored by the merchant and reused for future billing — whether that’s subscriptions, retries, or one-click checkout. At the moment of authorisation, the token is translated back into the card number within a controlled environment, away from the merchant’s own systems.
What makes this transformative in high-risk contexts is the reduction of liability. By ensuring raw card numbers never touch the merchant’s servers, the scope of a PCI audit narrows dramatically. In practice, this can mean moving from hundreds of system components under review to just a handful.
Two worlds of tokenisation
Not all tokens are alike, and merchants need to understand the distinction.
- Vault-based tokens: Provided by acquirers or payment gateways, these are the most common. They are simple to deploy, cheap to start with, and help merchants offload compliance. Yet they come with a catch: portability. If you want to change providers, moving your token set can be slow, costly, or simply blocked by contract. In an industry already prone to frozen accounts, that dependency can be dangerous.
- Network (EMV) tokens: EMV– issued at the scheme level, these follow EMVCo standards and flow seamlessly through the payment ecosystem. They can survive card reissuance, improving approval rates, and can be tied to specific merchants or devices. The advantage is resilience; the drawback is deeper entanglement with the schemes. Merchants gain stability but at the cost of greater exposure to scheme fees — fees which UK regulators have already criticised as opaque and steadily rising.
The promise versus the reality
Supporters of tokenisation highlight real benefits:
- Higher approval rates, particularly with network tokens that adapt when banks reissue cards.
- Lower fraud risks, since stolen tokens are often worthless outside their original context.
- Operational continuity, where outages at one acquirer can be offset by rerouting token traffic to another.
Yet the narrative is not entirely rosy. Many merchants report that while tokenisation reduces their compliance burden, it strengthens the hand of providers. Tokens become the glue that keeps clients locked into contracts — hard to migrate, harder to negotiate against. In some cases, providers have treated token migration as a premium service, effectively monetising the merchant’s own customer base.
This tension illustrates the broader paradox: tokenisation both empowers and constrains. It improves resilience but also centralises control in the hands of those who already dominate payment rails.
Key advantages for high-risk merchants
Certain use cases stand out:
- Recurring billing models: From digital subscriptions to membership platforms, tokens allow for secure, frictionless repeat payments.
- Large-ticket purchases: High average order values attract scrutiny; tokenisation provides a compliance buffer that reassures acquirers.
- Global expansion: Merchants operating across multiple markets can route tokenised transactions via several acquirers, optimising for approval rates.
Still, tokenisation does little to resolve the most common pain points for high-risk merchants: chargebacks and disputes. A secure transaction can still be reversed if a customer contests it. In this sense, tokenisation addresses only part of the risk profile.
Compliance and governance
Tokenisation sits neatly within PCI DSS v4.0, reducing the amount of cardholder data in scope. But the obligations do not vanish: any system that can de-tokenise remains high-risk, requiring robust logging, access controls, and audits.
From a privacy perspective, UK GDPR treats tokens as pseudonymised data. They are still personal data if linkable back to an individual, which means the usual duties of data minimisation, lawful basis and secure international transfers apply. For merchants already juggling AML, sanctions screening, and scheme monitoring, token governance becomes yet another compliance layer to manage.
The cost question
The Payment Systems Regulator has already warned that card scheme and processing fees are rising disproportionately, with little transparency. Tokenisation, particularly at the network level, risks becoming another lever for schemes to extract value. While merchants gain from improved approvals, they also face costs buried in interchange adjustments or “value-added” service fees. In an environment where small retailers already feel overcharged, tokenisation may entrench the imbalance further.
What merchants should aim for
To make tokenisation work on their terms, merchants in high-risk sectors should demand:
- Portability clauses in contracts ensure that tokens can be exported without punitive charges.
- Clear disclosure of any scheme or network token fees.
- Resilience commitments, including migration support if a provider exits the market.
- Transparency on where vaults are hosted, and which parties act as controllers or processors under UK GDPR.
Merchants should also challenge the assumption that tokenisation is a silver bullet. It is a powerful tool, but only one piece of a broader strategy that must include dispute handling, clear billing descriptors, and responsive customer support.
Long-term perspective
Tokenisation is not going away. If anything, its role will deepen as regulators push for stronger consumer protection and acquirers seek to reduce their own exposure. For high-risk merchants, the key is to embrace tokenisation without surrendering control. That means reading contracts carefully, pushing back on one-sided terms, and treating tokens as both an asset and a potential liability.
In the end, tokenisation reflects the broader story of payments: every new layer of protection can also become a new point of dependency. High-risk merchants have little choice but to adopt it — the challenge is ensuring it serves their interests as much as it serves those of their providers.
If you’d like tailored advice on payment solutions for your sector, don’t hesitate to schedule a free consultation with our team.
For further insights, read our article: “How to Set Up a Backup Merchant Account?”
Disclaimer
Widelia and its affiliates do not provide tax, investment, legal, or accounting advice. Material on this page has been prepared for information purposes only, and is not intended to provide, and should not be relied on for, tax, investment, legal or accounting advice. You should consult your own tax, legal and accounting advisors before engaging in any transaction. Please consult https://widelia.com/disclaimer/ for more information.
