Australia’s credit/debit card surcharge rules are changing. Learn more
Skip to content

Breaking down tokenisation strategy for software companies

Updated on July 13, 2026

Tokenisation has been around for over two decades, but its role in payments is more critical than ever. As software companies look to integrate payments, understanding tokenisation is essential for security, compliance, and long-term strategy.

In this episode of PayFAQ: The Embedded Payments podcast, Montana Ross, Head of Product for Integrated Payments and Payment Facilitation at Worldpay, shared insights into why tokenisation matters and how software companies should approach it.

An inside look at payment tokenisation

At its core, tokenisation replaces sensitive payment data with a token—an identifier that has no real value if intercepted. This ensures security by reducing the risk of exposing credit card details. Over the years, tokenisation has evolved to serve different needs. Initially, one-time tokens were introduced to meet compliance requirements, providing temporary replacements for card numbers but offering little utility for long-term data storage. More recently, format-preserving tokens have gained traction. These allow businesses to store and use card data in a way that maintains key attributes, such as the last four digits of a card number, which can be useful for customer recognition and operational continuity.

The role and benefits of tokenisation for platforms

For software companies, tokenisation is more than just a security measure – it is an operational and strategic consideration. The way tokens are integrated into a software system determines how well they support customer experience, data management, and business growth. Companies need to decide which type of tokenisation fits their business model, considering factors such as compliance costs, customer data usage, and the ability to scale.

Different industries have distinct tokenisation needs. In healthcare, stringent regulations around personally identifiable information require robust data protection strategies. In contrast, a restaurant payment system may only need tokenisation for occasional transactions, with less emphasis on long-term data retention. Software companies must carefully evaluate their industry’s specific compliance and operational requirements before implementing a tokenisation strategy.

Beyond security and compliance, tokenisation plays a crucial role in a company’s broader data strategy. Payments are no longer just a financial transaction; they are a source of valuable customer data that can inform business decisions, improve customer relationships, and create new revenue streams. Companies that integrate payments without considering how tokenisation aligns with their data strategy may find themselves limited in their ability to leverage customer insights effectively.

Tapping into the potential of a tokenisation strategy

Many software platforms add payments due to investor pressure or customer demand, often without fully considering the long-term implications. The choice of a tokenisation method can significantly impact future mergers, acquisitions, and integrations. Companies that rely on one-time tokens may struggle to transition their data if they acquire or merge with another company. A well-thought-out tokenisation strategy ensures that payment data remains usable and transferable as the business evolves.

For software companies looking to grow, tokenisation should not be an afterthought. Businesses must do the necessary research up front to ensure they choose a solution that aligns with their operational and strategic goals. Finding the right payment partner—one that understands different industries and offers flexible tokenisation solutions—can provide a competitive advantage.

As payments continue to evolve, software companies that take a proactive approach to tokenisation will be better positioned to scale securely, optimise customer data, and future-proof their businesses.

Transcript

Ian Hillis

Hi everyone and welcome to PayFAQ: The Embedded Payments podcast brought to you by Payrix and Worldpay. I’m your host, Ian Hillis and today I’m talking with Montana Ross, Head of Product for Integrated Payments and Payment Facilitation at Worldpay about tokenisation in the payment world. Welcome to the show, Montana. 

Montana Ross

Hey Ian, glad to be here. 

Ian Hillis

We are thrilled to have you on today. I’ve known Montana for quite some time now. Deep expert on a number of things, certainly tokenisation. We’re going to jump into that. I want to start by giving the audience an overview. Montana, I have your back on just so they know that they can in fact trust you with the wisdom you were about to dispose our way. So. Montana is a seasoned professional with 15 years of diverse experience in the payments industry. Most of his early career was at Worldpay where he held product and strategy-based roles across ecommerce, integrated payments and PayFac. Covering all the bases there. Montana also played a key role in leading the turnaround product strategy for a large payment processor in the B2B payment space, culminating in a successful IPO. Following that achievement, he transitioned to the software sector where he served as general manager of payments for high growth platforms in the prop tech and social good industries. His expertise in building solutions for software companies and subsequently managing their payment strategies is unparalleled. Montana rejoined Worldpay last year as the head of product for integrated payments and PayFac segments, bringing with him a wealth of experience and unique perspective that bridges both the payments and software sectors. That is expertise I’ve ever heard it. Montana, we’re thrilled to chat with you today. 

Montana Ross

I was going to say it sounds way better when you say it, Ian. 

Ian Hillis

So, Montana, we’re here to talk about tokenisation. I think we’re going to have different levels of understanding so let’s just level set with the audience here. Can you give us the high level of tokenisation? What are the different types, formats, use cases and we’ll build from there? 

Montana Ross

Yeah, it’s a great level set. Right. So, tokenisation in its essence is just the process of swapping sensitive data for values that would mean nothing if it fell into someone else’s hands. So tokenisation exists in very different formats, but for the most part what we care about is payment tokenisation. 

Montana Ross

So, for the most part we’re talking about swapping the card account numbers, for values that don’t mean anything. There’s a couple of different ways that you can do that. When we think about it, there’s universal tokens, which kind of just are provided by a few different vendors that essentially can swap any type of information. There are one-time tokens which came out about 20 years ago when new compliance standards were introduced, that tokenisation was a requirement to some degree to either store or transfer card data. So that’s when you get a new kind of value. Every time you try and send a card number it just replaces it. But it’s not great for storage or to hold on to long term. What we see more recently is format preserving tokens, which is essentially it replaces the card number but holds a lot of the attributes that you would have from that card account number. So, the first four digits or the last six digits, and it fits into systems really well and could be used with customer applications, stuff like that where you’re just hiding part of the value but can still expose maybe the last four digits of your credit card so you can recognise it. Right? The last thing is what we would call network or wallet tokens. So anytime you use Apple Pay or Google Pay, or a Visa or Mastercard, they all have their form of tokenisation as well. It’s a little bit removed and usually works well with other types of tokenisation, but it is a form of tokenisation in itself. 

Ian Hillis

Tokenisation is increasingly coming up notably I think in the past two to three years you’ve mentioned, look this, this has been around for 20 plus years at this point, but I think it’s really taken our world by storm. Why is this important for software companies to understand? If you could talk a little bit about the operational versus strategic decisions that software companies need to be making in this area. 

Montana Ross

Yeah, so for most people tokenisation was just a way to like you said 20 years ago, it’s been around for a while, was just a way to ensure security. You don’t want that data getting into anyone else’s hands, so those one-time tokens were great. You just replace it, you know, move on. but what we found specifically for software companies and platforms is that data in general has become one of the most powerful things that they can leverage to a degree. So operationally there’s how does that token actually fits into your systems, how are you going to use it, for your customer base, for your clients, stuff like that. So, there’s specifics around the length of the token, the type of token and what you’re doing there and how it’ll fit into your overall strategy for just data and storing that information. The other is down to compliance. So again, going back over 20 years, those standards have gotten different over time and there’s more resources and cost associated with doing that. So, if you don’t think about your token strategy up front and how it’s operationally going to materialise in your business, you’re going to end up spending a lot more time, resources and cost on just maintaining that or maybe switching it to something that works differently or better for you. So, it’s important to do that upfront kind of discovery on what’s going to make the most sense for your business. The other piece is the industry that you’re in so, if you’re in the restaurant industry versus the health care industry, you’re going to have very different applications and uses for those, you know, for, for payment tokens and just payment methods in general. So, healthcare is very strict on, you know, personally identifiable information and credit card information. There’s a lot of regulation and you know, customer data, storage is, is a huge part of what they do there. They’re going to try and follow you through an entire lifetime if they can versus restaurant, you may just go in one time and that’s it. So that’s all that’s really necessary there, to a certain degree. So those are the kind of operational aspects that you need to consider. I will say there that I think anybody that’s implementing a strategy now kind of has a leg up. 

Because customer loyalty and some of that customer demographic data has become increasingly more important over the last five to ten years versus maybe when you kind of started a business, you know, five or 10 years or previous to that. So, using format preserving tokens, things that you can store and kind of really assessing whether they’re going to fit in your ecosystem is probably one of the more important things. And again, if you’re doing that now, you know that if you did that five or ten years ago, you’re probably making some changes. So, some of those people have a little bit of a leg up. If you’re starting now, or adding payments in your software platform, I would. 

Ian Hillis

Montana, you’ve sat in a really unique seat in that you’ve both kind of deep, deep in the payments and then spent time within software companies as well. You start at kind of the role and importance that data plays just foundationally to kind of a software platform in general would Love to hear you opine a little bit more on just the role of data and why that’s so important and then maybe talk a little bit about how that can set the foundation for software companies and their tokenisation strategy. 

Montana Ross

Yeah, so I think that plays really well into like strategically what, what makes sense there. I think when we look at software platforms and, and how they’ve evolved over time, either they see payments or the addition of payments to their platform to generate more revenue or they’re getting advice from their private equity or VC firm to kind of add payments. What I’ve seen firsthand, and through a lot of companies I’ve worked with, is that they kind of do that based on you know, customer demand or their investors kind of saying you need to add payments, and they just go with whatever provider. Kind of makes sense, they’re not really thinking about the long-term implications of that. So, there’s a few that come to mind. So reputationally obviously depending, no matter how you’re set up as a software platform, you don’t want card data or sensitive data getting out and having a good strategy around tokenisation and making sure that reputationally you’re covered and you’re not going to have any type of exposure, is obviously going to have an impact on your client base. But also whether you have future options around M&A or anything like that, the other thing is, and this is something I dealt with firsthand is the data strategy that you have, especially if your value add or a lot of the value around your company is based on the data that you’re storing about your customers, that piece of it plays into it as well. So, a one-time token, or a format for preserving token that can be used in multiple systems and easily transitioned should you ever get acquired is a huge thing that comes into mind. Most people don’t think about that when they’re setting up payments. They’re just saying I need to add payments; I need to add revenue. they’re not thinking about how that format of tokens is actually going to play into maybe their future M and a strategy whether they’re buying a company or whether they’re getting acquired, so one, one first hand example I have is, you know I worked at a company that, you know, their main value add was the CRM but they were obviously buying smaller startup companies or we were buying smaller startup companies and trying to incorporate them. But they never gave any real thought to their tokenisation strategy and just went with whatever made sense from a provider perspective. A lot of it was one-time tokens and our entire company value was built around the customer demographic data that we had so it took a lot longer to integrate those businesses into what we really considered kind of our value creation plan, and that customer data into the central CRM system that we were looking to use and be a store of that value so that came with additional costs around compliance and stuff like that from just an integration perspective. But it also hindered the ability to kind of create that network effect with our customers because we couldn’t integrate the cardholder data the way we wanted to. 

Ian Hillis

As we wrap things up, you have lots of great advice. I love how you’ve weaved in real life stories to show the importance of across all of this. What part of advice might you have for software companies, particularly on this topic of tokenisation? Again, there’s a lot going on out there, lots of noise, lots of interesting things happening. What advice would you have for those software companies? 

Montana Ross

Yeah, I think this is probably the most important takeaway. Like every business industry is going to have their unique challenges, unique use cases. So, I think the most important thing here is to do the legwork up front. Don’t just kind of add something without really thinking about the long-term implications of it, and what use cases may come into play. I also wouldn’t underestimate just the growth potential of adding payments to software. I think again a lot of people, a lot of companies add payments just thinking it’s kind of this ancillary product that they’re going to offer and then don’t realise how fast it actually grows and scales. I think that’s a really important thing to consider especially with tokenisation. But in general, on you know, as you grow volume, your requirements and compliance needs and all of those things, data requirements, they’re all going to change along with that. So, I think people just underestimate that piece of it. and the last thing is just make sure you consider partners that kind of have good experience across all the different verticals and industries that are out there. You’re going to get more than a one size fits all solution, so you’re going to have maybe multiple token solutions that you can leverage or at least a token solution that has been considered, across restaurant and healthcare and government. So you’re getting a partner that really can kind of make sure that you have the right solution, for how you need to grow. 

Ian Hillis

Excellent. Montana. This was exceptional. We really appreciate you taking the time to chat with us today. 

Montana Ross

Yeah. I mean, one of my favourite topics. So very glad to be here. I’m very glad to talk about it. 

Ian Hillis

Excellent. Well, we appreciate your time. We want to be a trusted resource for software providers who are out there trying to make sense of embedded payments and finance to help them get the education they need to make the business decisions their customers and investors will thank them for. Thank you to everyone joining us today, and I look forward to continuing the conversation in our next episode.  

Share:

Explore more podcasts