Financial institutions in Peru have begun implementing a critical shift in how digital payments are processed, moving away from the traditional exchange of sensitive card details. By order of the Superintendencia de Banca, Seguros y AFP (SBS), banks are now deploying mechanisms to replace actual card data with unique, cryptographically generated identifiers for transactions conducted through third-party platforms.
This transition to tokenization for online purchases means that the Primary Account Number (PAN), expiration date, and CVV code—the three pillars of traditional card security—will no longer travel across the internet or be stored in plain text by merchants. Instead, they are replaced by a “token,” a digital surrogate that holds no intrinsic value if intercepted by a cybercriminal.
The move comes as a direct response to the escalating volume of cybercrime and the rapid growth of the digital economy. According to data from the Banco Central de Reserva del Perú (BCRP), non-face-to-face transactions have surged, with debit card e-commerce growing by 54.2% in number during 2025, while credit card transactions rose by 14.3%.
For the average consumer, the process remains largely seamless. Whether shopping on Amazon or using payment gateways like Mercado Pago, the encryption happens in the background. María del Carmen Yuta, a partner at Vodanovic, explains that while a customer may still enter their card details during the initial registration or purchase, that information is immediately encrypted, ensuring it remains invisible to third parties even if the user chooses to save the card for future use.
Financial institutions must enable tokenization so that third parties operate with tokens rather than sensitive data.
Closing the Gap in Cybersecurity
The primary objective of this regulatory shift is to decouple the actual financial instrument from the transaction process. Luis Miguel Garrido, a senior associate in the financial and corporate area of Rubio Leguía Normand, notes that this mechanism prevents real card data from circulating or being stored within merchant databases.
This is particularly vital for the modern “super app” ecosystem and sprawling marketplaces where a single payment may pass through multiple intermediaries. In the event of a data breach at a retailer’s end, the stolen information would consist of tokens rather than usable card numbers. Garrido emphasizes that given that these tokens cannot be easily decrypted or reused by cybercriminals, the impact of a leak is significantly neutralized.
By aligning Peru with international security standards, the SBS is attempting to build a more resilient financial infrastructure that can withstand the increasing sophistication of phishing and database injections. The strategy moves the “trust” element away from the merchant and places it back with the issuing bank.
The Role of Biometrics and Double Authentication
Tokenization is not a standalone solution but part of a broader security layer. The new framework is designed to work in tandem with double authentication (2FA), which will be implemented shortly. This requires users to verify their identity through a second factor—such as a biometric scan (fingerprint or facial recognition) or a unique PIN—before a transaction is approved.
This synergy is most evident in digital wallets. For users of services like Google Pay or Apple Pay, the security is twofold: the possession of the device containing the tokenized card and the biological or secret verification of the owner.
In wallets like Google Pay or Apple Pay, users must validate their identity with at least two factors: the device with the tokenized card and a second element such as a PIN or biometrics.
Comparison: Traditional Payments vs. Tokenized Payments
| Feature | Traditional Method | Tokenized Method |
|---|---|---|
| Data Transmitted | PAN, Expiry, CVV | Unique Cryptographic Token |
| Merchant Storage | Actual card details (often encrypted) | Non-sensitive token |
| Breach Impact | High: Card can be cloned/used | Low: Token is useless to attackers |
| Verification | Single factor (often just CVV) | Multi-factor (Token + Biometrics/PIN) |
What This Means for the Consumer
The shift toward tokenization for online purchases is essentially a move toward “invisible security.” For the user, the experience of clicking “Buy Now” remains the same, but the underlying architecture changes. The primary beneficiaries are those who frequently use “super apps” or marketplaces, where the risk of data exposure is historically higher due to the number of actors involved in the payment chain.
this is a systemic change driven by the SBS, meaning the responsibility for the rollout lies with the financial institutions. Users do not need to “apply” for tokenization; rather, their banks are updating their backend systems to ensure that when a card is registered with a third party, it is instantly converted into a token.
Disclaimer: This article is provided for informational purposes only and does not constitute financial or legal advice. For specific inquiries regarding your accounts, please contact your financial institution or the SBS.
The next phase of this digital transformation will involve the full rollout of the double authentication requirement across all Peruvian financial entities, a move intended to further slash fraud rates in the e-commerce sector. Official updates on the timeline for these mandatory biometric integrations are expected to be released by the SBS in the coming months.
How do you feel about the shift toward biometric verification for your daily purchases? Share your thoughts in the comments below or share this article with your network.
