Universal Payment Tokens or Network Tokens?

The terms “payment tokens” and “network tokens” can be found trending as far back as early 2004, but conversation around them has become inescapable in the last few years.

As digital commerce continues to grow and merchants find themselves wondering how they can secure payment data, they may start to dive into these solutions. And while both are considered “tokens”, they contain several key differences in utility and flexibility.

What are the similarities and differences between the uses, features, and benefits of universal payment tokens and network tokens?

Universal Tokens and Network Tokens: What’s the Difference?

In a general sense, network tokens and universal tokens are both used to mask sensitive payment data like credit card numbers. 

Because of this, they both improve payment data security while simplifying  payment processing for businesses. However, the means by which this happens differs. 

Universal Tokens

Universal tokens are tokens that can be used in place of the plaintext payment data for transactions across various different channels, payment networks, and processors without exposing the underlying data. In many cases, merchants tokenize the card’s PAN with a unique identifier that cannot be decrypted, making it more secure to store and transmit than plaintext numbers. 

However, universal tokens aren’t limited to only payments: these tokens can tokenize any sensitive data found in any format, including non-payment information like PII. This flexibility is one of many reasons merchants choose to use universal tokens to tokenize sensitive data. In this way, universal tokens work like universal physical locks, securing many different types of valuables in different types of storage devices.

These tokens are often provided by third-party tokenization providers, like Basis Theory, on behalf of merchants, and can integrate into a merchant’s systems nearly seamlessly.

Network Tokens

Alternatively, a network token is distributed by the card networks (Visa, Mastercard, American Express, and Discover) and can only be used through the card networks themselves or their partner merchants.

Another key difference is that a network token can only be used for payment data. The token acts as the payment credentials, replacing the Primary Account Number (PAN) to facilitate secure transactions, but only for a specific card-merchant pair. In this way, network tokens function more like a physical key that works for certain people and can only open specified lockboxes.

Are Network Tokens or Universal Tokens a Better Choice?

Both network tokens and universal payment tokens offer enhanced security for storing and using payment data, which also reduces overall fraud risk. Universal tokens win out on the security front, however, as they often have more security safeguards than network tokens, which rely heavily on restricted usage as the primary means of security.

Universal tokens can simplify payment processing for businesses because, once implemented, the possibilities of use and acceptance are nearly endless. This creates a potentially wider area of acceptance for merchants than network tokens would offer. 

One primary benefit of network tokens is their ability to automatically update card credentials. Should an expiration date occur, or card number be changed after the original card is renewed or reported stolen, the credentials stored in the network token will automatically update, with no manual intervention needed. This can be a huge benefit for subscription businesses and their customers, as processing could continue without any action necessary. It’s worth noting, however, that there is a broad range of credit card updater services available for use in conjunction with universal tokens.

If a merchant transacts exclusively with one network - say, Visa, for example - then network tokens might be a good fit. While their limited scope could be a concern for larger merchants, network tokens are growing in popularity. Similarly, if a merchant transacts all their business through a single PSP, which delivers tokens for customer cardholder data across all accepted payment methods, network tokens are a convenient vehicle for simplifying payment activities while also offloading PCI-DSS requirements.

Universal tokens are a great option for all merchants of any size due to the built-in flexibility, but would likely require working with a third-party token provider, which adds another solution to the tech stack. As a result, merchants should always ensure their selected tokenization partner explicitly offers a migration plan to be used if the business partnership is dissolved.

A summary comparison of the two token types can be found in the table below:

PCI Compliance and Scope Reduction

One significant benefit of both network tokens and universal payment tokens is the potential for PCI DSS scope reduction.

However, because the nature of each token type is slightly different, the way these tokens reduce scope is not the same.

Generally speaking, network tokens can reduce PCI scope by replacing sensitive cardholder data (PANs) with network-specific tokens stored in secure databases, meeting PCI compliance standards. This means fewer systems and processes need to handle sensitive data, simplifying compliance efforts.

Universal payment tokens, on the other hand, may reduce PCI scope, but this is solely dependent on the solution selected and how merchants implement it. Some solutions can be implemented such that the payment data is only partially tokenized - for instance, tokenizing everything but the last four digits. Furthermore, should the merchant attempt to store these tokens in their own database that doesn’t meet PCI compliance standards, PCI scope would not be reduced.

A more complete universal payment token solution like Basis Theory does significantly reduce PCI scope, in some cases by as much as 95%, by extending an independently assessed and approved cardholder data environment to customers. This allows companies to collect, secure, and share credit cards without bringing their systems into scope.