How Network Tokenization Improves the User Experience

The most valuable pieces of data in payments are the Primary Account Numbers (PAN), the core details from a credit card that are used to initiate and close a transaction. The PAN consists of the card number, the expiration date, and the CVV, and the most fundamental obligation of any merchant is to not allow anyone to steal this information.

Meanwhile, the pace at which PAN details can change (based on lost cards, say, or simply re-issuance on an expiration date) can result in painful lost revenue for merchants. Today, the trick to protecting PAN data while providing a superior customer experience, reducing fraud, and protecting transaction close rates is to commit to network tokens.

What is network tokenization?

Network tokenization is the process by which card networks (Visa, Mastercard, etc.) provide merchants not with traditional PAN data, but rather a string (the token in question) that represents their unique version of the PAN.

Instead of passing back the credit card number, expiration date, and CVV, merchants pass through a token, which is a representation of the consumer’s account that is specific to that one merchant, and thus cannot be used by any other entity even if it is somehow leaked or stolen.

Meanwhile, because the network token is a unique value provided directly from the card network to the merchant, it is not subject to the same risks. For example, a network token does not expire when the physical card does, because the token identifies an account rather than a plastic card. This removes the need to ask customers to update their cards, or to contract with an account updater service to avoid problems in charging subscription fees, or closing subsequent purchases.

Card network tokens also reduce both the risk of fraud for consumers, and the risk of chargebacks to merchants, through the same basic concept. Because the network token is a unique, merchant-specific representation of a consumer’s account, it not only cannot be used by another entity, it also does not become invalid when fraudulent transactions are submitted at another merchant, nor does it cease to work when a new physical card is issued. 

How network tokens differ from PCI tokens

A common approach to keeping merchant payment systems out of PCI scope has been for payment service providers (PSPs)—particularly full-service PSPs—to provide tokens to merchants instead of the full PAN data. This protects the consumer’s data, and eliminates the risk of PAN data being stolen from or leaked by the merchant's payment system.

However, while a network token is issued and managed by the card network, a PCI token is issued and managed by the payment gateway. These tokens lack many of the benefits of a network token:

• Deep security: while a network token flows from the merchant through the payment gateway and all the way to the card network without ever being translated back into an underlying PAN, a PCI token is converted at the gateway step, reintroducing many attack vectors where hacking can occur.
• Easy updates: where a network token is a representation of the account at the card network level, a network token is simply a representation of the PAN held at the merchant’s PSP, and is therefore subject to the old challenges of the PAN.

In principle, many modern PSPs can actually accept a network token on behalf of the merchant, then provide a PCI token to the merchant, so that they can regain some of the benefits. However, particularly in the case of full-service PSPs, the underlying network token is now inextricably linked to the PSP as well as the merchant. This means that should the merchant want to replace their PSP, they will need to collect all-new network tokens for every customer they have ever served—a consumer experience that no merchant wants to impose.

Network tokens and PCI tokens can work together with the right infrastructure

It is possible for a merchant to leverage both network tokens and PCI tokens while still offering a seamless user experience. By partnering with a programmable payment vault, such as the one offered by Basis Theory, a merchant could:

• Use the vault’s SDKs and APIs to have PAN collected during the first transaction of any customer.
• Direct the vault to submit the transaction via their selected gateway, and to request a network token.
• Receive and store a network token in the vault, then issue a unique token.
• Use the vault token to identify the customer account it wishes to charge, and the vault presents the stored network token to gain transaction approval.

By combining the network token with the flexibility of the programmable payment vault, merchants can enjoy the best of both worlds: all the upsides of network tokens, alongside the flexibility to work with multiple PSPs at any given time.

This delivers superior transaction success metrics, secure storage for customer data, and a positive customer experience that keeps consumers coming back for more.