Network tokens are a technology created by EMVCo to make the payment ecosystem safer and more robust.

EMV Payment Tokenization

The primary account number (PAN) – the number printed on your card - is a particularly sensitive piece of data. EMV Payment Tokenization (or network tokenization) provides a technology solution for protecting the PAN and securing digital and online payments.

Tokenization is achieved by taking the PAN and replacing it with a unique alternative value, a payment token. This token is limited to the merchant it’s been created for, which limits the use of the token in case it’s ever compromised. Unlike a PAN, a network token can not be used to process a transaction with another merchant.

Network tokens comply with industry-standardized EMVCo specifications that not only adhere to PCI standards but are also identifiable across the entire transaction lifecycle. This enables significant ecosystem benefits for merchants using network tokens.

  • Higher authorization rates - Once a stored PAN has been securely replaced with a network token, any changes to the underlying card details get automatically applied to the associated network token. For example, if a customer’s card expires the network would automatically update any associated network token(s) directly so that the stored card remains current and usable with that token. This reduces the number of charges declined due to outdated data, and increases the authorization rates - particularly cards used for recurring and subscription payments.

  • Lower costs - In general the card schemes maintain a lower fee for tokenized transactions. The exact value of this will depend on your PSP, but this can be up to 10 bps per transaction.

  • Improved security - Network tokens can only be unlocked by the associated payment network. Therefore if it is lost or stolen, criminals cannot access the underlying card data at any point in the transaction lifecycle.
    In addition, each token is bound to a specific merchant and each transaction is protected with a one-time use cryptogram. This means that the token by itself cannot be used to initiate a transaction.

Network tokens versus Acquirer/PSP tokens

Network tokenization is very different from acquirer tokenization or PSP tokenization, especially when you consider the data portability benefits.

  • An acquirer or PSP token swaps a customer’s card details with a token that can only be used by the service that generated the token. This restricts the re-use and introduces considerable friction when using another service for failover, redundancy, or migration.
  • A network token swaps a customer’s card details with a token that is tied to the scheme of the card (also called the networks) and can be used by any acquirer or PSP that can transact for that scheme. This provides ultimate flexibility to use this token with any service, whether that is for failover or redundancy purposes, or when migrating to another service.

We recommend that you use the full range of tokenization features with our system. You can store the original card number (PAN) in our Cloud Vault and additionally use Network Tokens for transactions. With this, you can limit your PCI scope and optimize your payments using network tokens in an agnostic way across the payment ecosystem.