Definition
Detokenization is the process of retrieving an original sensitive value – typically a Primary Account Number (PAN) – from its token representation. It is the reverse of tokenization: while tokenization replaces a PAN with a token, detokenization recovers the original PAN from the token.
When Detokenization is Required
Refunds and disputes: Some acquirers require the original PAN to process a refund or submit a chargeback response
Regulatory requests: Fraud investigations or legal proceedings may require access to original card data
Token migration: When moving from one vault provider to another, the original PANs must be retrieved to re-tokenize them in the new vault
Network token requests: When requesting a Visa or Mastercard network token, the vault uses the original PAN as the input
Who Can Perform Detokenization
Detokenization is a highly privileged operation. In a well-architected vault environment, only the vault service itself can detokenize – and only under explicit, policy-controlled conditions. Merchants never directly access the PAN; instead, they request specific actions (e.g. submit a refund to acquirer X) and the vault performs the detokenization internally.
Detokenization and PCI DSS
Any system that receives a detokenized PAN falls within PCI DSS scope. For this reason, well-designed vaulting architectures minimize or eliminate scenarios where the merchant's own systems need to detokenize. All acquirer-facing operations that require the PAN are performed by the vault, keeping the merchant's infrastructure token-only.