Merchants are always looking for ways to improve their customer experience, reduce their business costs, and stay as far away from the risk of data breaches as possible. One of the areas that offers both opportunity and danger is storing credit card data so it can easily be reused in the future: as much of a positive impact as it can have on revenue, the risk and cost of securing that data can be intimidating.
A safe, PCI-compliant way to secure, mask, and transmit sensitive cardholder data is to use a payment token. A payment token can come in different forms, with the means, approach, and benefits of each diverging. Which token to use depends on the specific transaction flow. Using a combination of Network Tokens, provider tokens, and Universal tokens can optimize the transaction flow for each customer—and the merchant’s bottom line.
What are payment tokens?
Payment tokens are unique pieces of text that act as a reference to data securely stored elsewhere. Instead of saving personally identifiable information (PII) in their own server, a merchant will simply store the token. When the merchant wants to reuse the PII, they present the token to whichever third party holds it, and, based on providing the token and passing other stringent security processes, the third party permits access.
Tokenization—using payment tokens—is sometimes seen as an alternative to encryption but is actually more secure. Encrypted data can be converted back to its original plain text simply by acquiring and using the encryption key. By contrast, a payment token is simply a reference point and cannot, therefore, be transformed back into the underlying data.
Payment tokens don’t just protect data and help with PCI requirements—when utilized as part of an optimized payment strategy, the merchant creates the best experience for the customer and their own processes.
Payment Token Types
We bucket each payment token into 1 of 2 groups:
- Customer Experience: Meaning, the token type improves this.
- Payment Optimization: Meaning, the token type improves some facet of our transaction process.
As merchants consider optimizing their transaction flows, consider how to use each payment token type for 1 of the 2 reasons.
Payment Service Provider (PSP) Tokens
PSP tokens replace plain text payment data to improve transaction security, and merchant customers of the responsibility of securely storing PII. However, PSP tokens only work with the provider that issued them. Full-service payment service providers offer such tokens, which can benefit merchants who want simplified tokenization they don’t have to build or manage over time.
Apple Pay and Google Pay offer something similar, with a token specific to their mobile wallet functionality. The token given from Apple or Google pay to the merchant is specific to the consumer who was using it. When a customer taps their Apple Wallet to pay, the merchant can save that token for future purchases, regardless of the card on file being updated or replaced. However, if the customer were to remove that card from their mobile wallet, the token would then disappear and need to be reissued.
The lack of versatility with a PSP token can stunt a merchant’s growth, as they have fewer options for providers they can partner with—especially if those partners do not play nicely with the PSP’s tokens (and being able to use one PSP’s payment tokens with another PSP is extremely unusual.) Critically, especially for merchants who see the benefit in optimizing their costs and reliability by partnering with multiple payment providers,, PSP tokens can create sole reliance (lock-in) on a single partner.
What is initially presented as a convenient vault for securing payment data could quickly become a dire situation if the PSP shuts the merchant down, has an outage, or refuses to release stored cardholder data to another PSP: this can force the merchant to require their repeat customers to re-enter their payment information, a level of unnecessary friction that can drive down sales conversion rates.
Network Tokens
By contrast, a network token is distributed by one of the card networks (Visa, Mastercard, American Express, and Discover) and is arguably the most popular payment token type. Card networks will incentivize merchants to use these tokens and, in return, lower transaction costs for the merchant.
This type of payment token can only be used by the card networks or their partner merchants and is specific to the merchant to whom it is issued.
A key characteristic is that a card network token can only be used for payment data. Network tokens are used as part of a network tokenization strategy to mask sensitive payment data such as credit card numbers. The token acts as the payment credentials, replacing the Primary Account Number (PAN) to facilitate secure transactions, but only for a specific card-merchant pair. Therefore, merchants cannot incorporate other information into the record represented by the network token, such as the customer ID.
In this way, network tokens function more like a key that works for certain people and can only open specified lockboxes. Network tokes shift the respnosility and financial liability for a potential chargeback to the issuing bank.
Universal Tokens
Universal tokens are payment tokens that can be used in place of plaintext data for transactions across various channels, payment networks, and processors without exposing the underlying data. Merchants tokenize the card’s PAN—and any other related information they choose—with a unique identifier that cannot be decrypted, making it more secure to store and transmit than plaintext numbers.
Universal tokens can tokenize any sensitive data found in any format, including non-payment information like customer IDs, subscription statuses, or user names. This flexibility is one of many reasons merchants use universal tokens to tokenize sensitive data.
In this way, universal tokens work like universal physical locks, securing many types of valuables in different types of storage devices.
These tokens are often provided by third-party tokenization providers, like Basis Theory, on behalf of merchants and can integrate into a merchant’s systems nearly seamlessly.
What is the best payment token type?
Think about the customer experience first before deciding which tokens are best for your use case. A merchant has several questions to work through:
- Will you be storing the PAN or a token?
- Will you accept wallet IDs that come with Google or Apple Pay?
- Which token should you process first, or should you process the card each time?
Other questions to consider:
How many PSPs are you working with?
- If you only need a single PSP now and in the foreseeable future, PSP tokens offer the simplicity and convenience required to get started quickly, and have the lowest management requirements.
- If multiple PSPs are needed in order to avoid a single point of failure or to reduce overall processing costs, consider universal tokens or network tokens, which offer flexibility across multiple PSPs.
What are your security and compliance priorities?
- Basic security measures: Network tokens offer basic security measures through restricted use. Remember, however, that the token is actually owned by the card network, and can be shut down by the network at their discretion.
- Additional security: Universal tokens usually offer the highest level of security and flexibility, making them attractive for most merchants.
What level of technical expertise does your team have?
- Minimal expertise and resources: PSP and network tokens are quite easy to set up, and don’t require significant technical expertise or resources to go live.
- More robust technical resources: Universal tokens require third-party integration and developer expertise. In many cases, the third-party provider will offer high-touch support and thorough documentation to help with any integration.
Does your business operate in a higher-risk space, or have a higher risk of being shut down?
- Yes: Universal tokens through a third-party token vault will offer redundancy and give merchants the most control over their payment data. Should a PSP shut down a merchant, the merchant can quickly pivot to a new PSP or pre-emptively build in a backup PSP to continue transacting before issues arise.
- No: Merchants with basic fund flows can often get by with PSP tokens but should be aware of the risks of vendor lock-in.
Does your business need a multi-processor or payment orchestration-focused approach?
- Yes: Universal tokens through a third-party tokenization provider open the door for multi-processor routing, backup processors, and other partner/integration needs. All merchants, regardless of size, should strongly consider whether this approach is right for them.
- No: Merchants with basic use cases can often get by with PSP tokens through their PSP but should be aware of the risks of vendor lock-in and the lack of flexibility in their payment flows
While each merchant has different tokenization requirements, it is clear that using a combination of payment token types are key to optimizing the transaction flow and meeting any PCI compliance checklist.
It’s hard to say, “Always use a network token” or “PSP tokens work best” when use cases are so nuanced. Different tokens may be more useful as potential options downstream that could benefit the merchant too, without sacrificing any compliance requirements.
Ultimately, payment tokens kick off conversations about payment optimization.
Optimize for authorization rates, the customer experience, and costs. Whether a merchant is breaking free from PSP lock-in, wants to route payments precisely to their liking, or own their payments data, a token vault could be the right solution.
Have a conversation with our team about payment tokens and optimizing your transaction flows to improve the customer experience and bottom line.
