Payment security: PCI DSS, tokenization, and 3D Secure — what merchants need to know

Three acronyms sit at the heart of payment security. Most merchants hear them constantly and understand none of them properly. This guide fixes that.

Why payment security affects your P&L

Payment security feels like an IT problem — until it hits your bank account. A single card-data breach at a small business carries average remediation costs of ₹15–40 lakh, before fines. Merchants found non-compliant with PCI DSS can face card-network penalties between $5,000 and $100,000 per month. And chargebacks above 1% can permanently flag your account as high-risk, raising your processing rates across the board.

The three frameworks below each protect a different layer. Understanding them together is the difference between compliance-as-checkbox and security-as-strategy.

PCI DSS: the compliance baseline

PCI DSS — Payment Card Industry Data Security Standard — is a set of technical and operational requirements created by Visa, Mastercard, Amex, and Discover to protect cardholder data. It’s not a law, but non-compliance carries real financial consequences enforced by your processor and card network. The current version, PCI DSS v4.0, became mandatory in March 2024. 

Tokenization: replacing card data with a useless substitute

Tokenization substitutes a real card number (PAN) with a randomly generated string — a token — that has no value without access to the issuing vault. When a customer checks out, the raw card number goes to your provider’s vault. What gets stored on your side is meaningless to any attacker.

There are three types: gateway tokens (issued by your provider, used for saved cards and recurring billing, but not portable between gateways), network tokens (issued by Visa/Mastercard, portable, auto-update on card renewal, and typically yield 2–4% higher auth rates), and device tokens (Apple Pay / Google Pay — merchant never sees the card number, biometric authentication is baked in).

3D Secure: the authentication layer that shifts liability

3D Secure adds an authentication step to online card transactions — involving three domains: the issuer (customer’s bank), the acquirer (your bank), and the card network. The current standard, 3DS2, uses risk-based scoring: most low-risk transactions pass silently in the background, with only genuinely suspicious ones triggering a visible OTP or biometric challenge.

The central commercial benefit: when a transaction is authenticated via 3DS and later disputed as fraudulent, liability shifts from you to the card issuer. That directly reduces your chargeback exposure and the risk of being flagged as a high-risk merchant.

The bottom line

PCI DSS, tokenization, and 3D Secure aren’t three separate problems. They’re three layers of the same strategy — protecting your environment, neutralising stolen data, and moving fraud liability off your books.

Compliance is the floor. Security-as-strategy is the ceiling.

At ToucanPay, we help merchants implement all three without a multi-month engineering project. If you want to know what your current setup is exposing you to, we’d be happy to walk through it.

Talk to us about your payment security setup →

Frequently asked questions

Q1: Is PCI DSS mandatory for all merchants, including small businesses?

A: Yes — every merchant accepting card payments must comply, regardless of size. Small businesses using a hosted payment page typically qualify for SAQ A, which is just 13 questions. The level of effort scales with your volume, not the obligation itself.

Q2: Does tokenization mean I’m automatically PCI DSS compliant?

A: No — tokenization significantly reduces your PCI scope, but you’re still responsible for your website security, staff access controls, and infrastructure. It shrinks the target; PCI DSS protects the perimeter around it.

Q3: Will enabling 3D Secure hurt my conversion rate?

A: With 3DS2, the impact is minimal. Most transactions authenticate silently — the customer sees nothing. Only a small fraction (typically under 5%) trigger a visible challenge, and the liability shift benefit almost always outweighs that friction.

Q4: What happens to my stored tokens if I switch payment gateways?

A: Gateway tokens don’t transfer — customers would need to re-enter their card details. Network tokens (issued by Visa/Mastercard) are the exception: they’re portable across processors and auto-update on card renewal.