Tokenisation is a mechanism by which the secure data (in this case, and usually, the CC number, etc.) are passed to a separate part of the infrastructure (or a 3rd party) and a token is returned as a reference. The token has no intrinsic value, but can be used to utilise the secure data.
The obvious advantage of this is that a breech doesn't give out credit card info in any form, encrypted or otherwise. If someone gets access to the tokens then the part of the infrastructure (or the 3rd party, if one is being used) should only allow access to the secured data for a valid token from a valid source using some properly secured mechanism, making it relatively easy to secure the confidential info e.g. by having the secure data stored on a private, possibly non-Internet accessible network that is only accessible from the company's sites (or more likely, very specific servers at said sites).
This is a pretty common approach as part of gaining PCI compliance for companies that process CC info, but of course it is mostly only used for the credit card data, not the rest of the personal data so if the personal data other than the CC info allows people to be conned out of cash (or have their money taken directly through some route other than their CC) then it isn't a panacea.