Abstract

Tokenization reduces routine merchant exposure to primary account numbers, yet refund handling and chargeback evidence preparation often remain dependent on PAN-linked or PAN-adjacent re- trieval paths. This paper presents an exploratory systems-design and workflow-evaluation study of a token-linked post-transaction architecture for PAN-less refunds and privacy-preserving charge- back evidence generation. The proposed design links payment, refund, and dispute records through explicit token lineage, confines PAN-linked authority to a token-service boundary, and applies role- based selective disclosure during evidence release. The empirical study uses uploaded public datasets and documented lifecycle augmentation because the source data do not natively contain tokenized refund and dispute chains. Validation was strengthened through 30 repeated trials on random sub- sets of 15,000 PaySim-derived base events per run, with chargeback-oriented calibration from the uploaded df.csv file and anomaly-context support from the uploaded fraud benchmarks. Across the repeated trials, the proposed workflow reduced the weighted privacy-exposure score from 1.48 to 0.31, improved the evidence-quality score from 0.5946 to 0.7344, and increased the operational- overhead index from 1.00 to 1.67. Mean local refund-processing time increased from 0.00394 ms per case to 0.00448 ms per case, while mean local evidence-assembly time increased from 0.01882 ms per case to 0.07069 ms per case. These timings reflect only local in-memory workflow steps and should not be interpreted as production gateway or payment-network latency. Sensitivity analy- sis shows that the reduction of privacy is between 65.6% and 86.0% under alternative weighting schemes, and the evidence-quality advantage is positive under all weighting scenarios tested. The paper therefore makes a bounded contribution: explicit architecture, reproducible augmentation rules, custom-metric definitions with sensitivity checks, and repeated-trial exploratory evidence, rather than a claim of live network or production scale validation.