Tokenization replaces sensitive data with a non-sensitive token that maps back to the original in a secure vault — unlike encryption, tokens are format-preserving and algorithmically irreversible.
PCI DSS: tokenize primary account numbers (PANs) to reduce PCI scope. Encryption is reversible (with key). Tokenization requires the vault for reversal. Either can reduce PCI DSS scope if properly implemented.