What exactly is a network token?
Share
What exactly is a network token?
What exactly is a network token?
A network token is a secure method for processing card payments, designed to support businesses in delivering a frictionless payment experience by keeping customer payment data safe.
Payment network tokenization
Tokenization is a digital technique that organisations use to protect sensitive data. They do this by transforming sensitive data into non-sensitive data, which is called a ‘token’. The nature of this piece of data can vary wildly in terms of length and format.
It is important to remember that a token has no value of its own. Without the original data, a token is meaningless. While the tokens are unrelated to the original data in terms of their values, there are ways to link the tokens to the original data; and that is what’s smart about tokenization. Tokenization enables the organisation using them to go about their day-to-day operations with a reduced risk of data leaks and breaches.
There are several different types of tokens used in the payment infrastructure. While each has the same outcome (swapping sensitive data for non-sensitive data), they also serve slightly different functions. Let’s take a look at some of those used within payments:
- Network tokens – Network tokens are generated by the card schemes. The role of network tokens is to secure payment transactions. By replacing sensitive cardholder data with a token containing meaningless information, the network tokens add an extra layer of security. We will go through network tokens in more detail shortly.
- Acquirer tokens – Acquirer tokens are generated by the acquirers when they process cardholder transactions on behalf of merchants. Acting as an intermediary between merchants and payment networks, the acquirer tokens enable tokenized payment data to be sent securely, ensuring that transactions flow securely and without interruption, from the point of sale to the payment network for processing.
- Issuer tokens – Issuer tokens are generated by the bank or financial institution that issued the customer’s original credit or debit card. Their role is to authorise payment transactions. The tokenized data is linked with the actual account information to help authorise the payment transaction swiftly and seamlessly.
- Merchant tokens – A merchant is a person or business that sells goods or services. Merchant tokens are generated specifically for a merchant by the Acquirer (also known as a payment processor). The tokens enable merchants to securely process payments without the risk of revealing their customers’ sensitive data. Merchant tokens are tailored to the unique identity of each business and in this way, act as a secure conduit for payment processing.
What are network tokens?
All credit and debit cards are comprised of 15 or 16 digit numbers. These are known as primary account numbers (PANs). A card’s PAN is widely accepted as part of an online payment transaction; however, this has made the PAN valuable to fraudsters and, in turn, has made consumers vulnerable to fraud and data breaches. Card schemes such as Visa, Mastercard®, Discover and American Express have created a clever solution to this problem. Instead of using the PAN for online payment transactions, they have created payment network tokens.
Tokenization is a process that replaces highly sensitive card data such as the PAN and expiry date, with a random character string that can be used only by the business that collected the card. Because the token contains a random character string, it is of no use to fraudsters and is, therefore, PCI compliant.
The card schemes generate payment network tokens automatically and in real time. This payment network token is created when the customer checks out on an e-commerce website or pays through a digital wallet such as Apple Pay or Google Pay. Each card scheme brand maintains its own repository of network tokens. In this way, if a customer loses their card or it’s stolen, the card scheme updates their customer's token automatically without any service disruption.
The awesome thing about network tokens, is that they can create secure remote commerce throughout the payment chain by removing the need for merchants, acquirers, and issuers to risk exposing the cardholders’ personal details by distributing sensitive cardholder data such as the PAN.
How does network tokenization work?
Network tokens are issued by the card scheme and stored by the merchant for transactions. Network tokens function by replacing the cardholder's credit or debit card data with a token that is unique to the customer, PAN, and merchant. Let’s break down the process into some simple steps:
1. Token initialisation – The tokenization process is triggered when the customer makes an online purchase and enters their card details including their card’s PAN, CVV, and expiry date.
2. Token request – As soon as the merchant is in receipt of the customer’s card details, they share this information with their payment service provider (PSP). The PSP then requests a network token from the card scheme, such as Visa, Mastercard, Discover and American Express.
3. Token process – A network token is automatically generated by the card scheme, which it shares with the card issuer (the cardholder’s bank), and the merchant’s PSP.
4. Token storage – The merchant’s PSP shares the network token with the merchant. That token is typically stored by the merchant for future cardholder payments. Because it has been generated by the card scheme, the token is valid across the entire payment ecosystem.
5. Authorisation stage – The PSP sends the network token for that card from the merchant to the card scheme.
6. Token decryption – Once the card scheme receives the network token, it is decrypted, and the original card details are retrieved and shared with the card issuer so that they can be verified.
7. Payment processing of the token - The card issuer can now verify the card details, process the transaction, and approve the payment. Thanks to tokenization, the original card details were only ever shared between the card scheme and the issuing bank. The token was used at every other stage of the process.
What are the benefits of network tokenization?
- PCI compliance and payment security - Network tokenization enables businesses to comply with PCI-DSS requirements because it reduces the amount of payment data that is subject to PCI-DSS requirements. Compliance is streamlined because network tokenization enables businesses to process transactions without exposing their customers’ data. This means the business can spend less resources and time on payment security.
- Reduced card fraud – According to Visa, network tokenization has been shown to reduce average fraud rates by around 26 per cent.
- Keeps user data safe – The nature of tokenization means that the original card details were only ever shared between the card scheme and the issuing bank. This means the cardholder’s data is kept safe from fraudsters because data within the token is meaningless.
- Reduced declines – According to Visa, network tokenization has increased authorisation rates by over 2 per cent, meaning that less transactions are declined due to expiries, fraud or lost details.
- Reduction in the cost of fraud – It is an unfortunate trend that as e-commerce has grown, so too has payment fraud. In their December 2022 report, Nilson estimated that the global card fraud losses for issuers, merchants and acquirers over the next 10 years could total $397 billion. Network tokenization offers an end-to-end security proposition that helps limit this amount.
- Cost savings - In 2022, Visa started charging non-token transactions at a higher rate. Merchants can, of course, mitigate such rate increases by adopting network tokens.
- Improved customer experience - The collective effect of reduced card fraud and reduced declines is a better customer experience. And happy customers shop more!
- Streamlined recurring payments – The subscription-based model relies on a secure, frictionless method for managing recurring transactions. And network tokenization can provide that.
Accept payments in every way, shape and form
FAQs
What are primary account numbers?
A primary account number, also known as PAN, is the name given to the 15 or 16 digit numbers found on every credit or debit card. A card’s PAN is widely accepted across businesses, making it easy to transact online, however that also makes it a sensitive piece of information, which is where tokenization comes in.
What is a card scheme?
A card scheme is the term given to financial organisations that operate the debit and credit card networks. These include Visa, Mastercard, Discover and American Express.
What is a card acquirer?
A card acquirer collects and transmits information about that transaction to the participating parties to facilitate the payment transaction. They are also known as a “payment service provider” or a “payment processor”.
What is an issuer?
A card issuer is the bank or financial institution that issued the cardholder’s original credit or debit card. Note that this is different from the card scheme, because the scheme operates the credit or debit card network on behalf of the issuer.
What is a merchant account?
A merchant is a person or business that sells goods or services. A merchant account is a type of bank account that allows merchants to process electronic payments such as debit and credit cards.
What is a CVV?
CVV stands for "Card Verification Value". The CVV is a three or four-digit number printed on a credit or debit card. The number has no relevance to the cardholder; it has not been explicitly selected for them. The CVV is a number that online merchants request so that the cardholder can prove that they have a physical credit or debit card. In this way, it acts as a layer of online payment fraud protection. Note that the CVV is different from a PIN. The PIN is a unique four-digit “Personal Identification Number” cardholders choose and use to complete various financial transactions.
What is detokenization?
The issuer can access the data within the token through a process known as detokenization. In most cases, a token will only be used once. This is the case with two-factor authentication, where each token is deleted after it has been used.
How does network tokenization improve authorisation rates?
Tokenization is a clever way of shipping meaningless data that can later be matched, securely with the card details. This is a secure way of sending sensitive information and reduces the likelihood that a customer’s account will be suspended due to fraudulent activity. Card schemes have found that tokenization has significantly reduced the number of declines caused by fraud and out-of-date cards, which results in increased authorisation rates.
What is PCI compliance?
PCI compliance is a security standard created by the Payments Card Industry Security Standards Council (PCI SSC). They created the PCI Data Security Standard (PCI DSS) to combat online fraud. Organisations handling debit or credit card data must hold a PCI compliance certificate to prove that they comply with it.
What is the difference between network tokenization and PCI tokenization?
Network tokenization is similar to PCI tokenization. PCI tokenization is undertaken by acquirers (usually a bank) or payment service providers on behalf of their merchants, and they do this to secure card data as it travels between the token provider and merchant. The main difference between network tokenization and PCI tokenization is that with network tokenization it is the card scheme that issues the token, not the acquirer or payment service provider.
Which countries does PCI apply in?
The PCI DSS (Payments Card Industry Data Security Standard) is a global standard. This means that no organisation that processes or transmits cardholder data is exempt from complying with the PCI DSS.
Stay in English