The Untold Truth About Network Tokens

January 02, 2025 | News

Visa has reported that network tokenization can improve authorization rates by 4% or more and reduce fraud by 28%, making it an important tool for online businesses. But what about the fine print?

For example, can you just provision a network token with your payment service provider (or PSP), and voilà—you reap all the benefits of fraud reduction, higher approval rates, and up-to-date card data?!

In this case, the underlying assumption is that these benefits are automatic—that a network token provisioned by your PSP is the same as any other network token. However, the truth is that PSPs and payment orchestrators have different practices around network tokenization that can impact your ability to fully recognize its benefits. When choosing a provider, there are a few considerations you will want to factor into your decision.

In this post, we’ll walk through the example above in more detail and address other nuances that aren’t always mentioned in the marketing brochure. By reading, you’ll have the whole truth about the options available to implement network tokens.

How Network Tokens Work

Similar to standard provider or PCI tokenization, network tokenization works by exchanging sensitive cardholder data (i.e., the primary account number or PAN) for a nonsensitive placeholder value called a token. This token offers the same functionality as the original data without the associated risk. However, since network tokens are provisioned in partnership with the networks and issuing banks, the token format is maintained for a greater part of the transaction flow. Fewer points of detokenization mean a more secure transaction.

This results in significantly less risk of sensitive data exposure. Even if a network token is intercepted, the data is useless to bad actors as there is no way to reverse engineer the token to obtain the original PAN. As an extra layer of security, network tokens also employ single-use cryptograms during the transaction.

While different networks may have slightly different network token configurations, they all enjoy a type of embedded account updater service to keep the underlying card data up-to-date, hence the increased authorization rates. Network tokens do not generally expire the same way cards do, and the token value seldom changes, if ever. Even if the card data changes, the network token is still active and viable for transactions. If they do expire or the underlying card account closes, these tokens are invalid and can’t be used for future transactions, limiting the opportunity for fraudsters.

Network Tokens: Important Considerations

The unique design elements of a network token mean they function slightly differently than traditional payment tokens. While there are many benefits available, (enhanced security plus increased authorization rates being just two), there are a few key considerations to be addressed.

All Network Tokens Are Not Created Equal

Even though network tokens are based on the same EMV Co. specifications, network tokens are (unsurprisingly) specific to each network. Visa network tokens differ from Mastercard tokens. Provisioning network tokens for Mastercard cards is one integration while provisioning network tokens for other card brands involves separate integrations. So, if you ever thought about integrating network tokens on your own (which is not recommended), you may want to take into account the work required.

Both third-party orchestrators and PSPs can facilitate these integrations and provision your eligible cards with network tokens. However, some providers can only support 1-2 card brands. If you plan on getting the most value, ensure the provider you choose can support network tokenization for all of the major card brands you accept.

Network Tokens Are Best Suited for Recurring Transactions

Network tokens are best suited for card-on-file solutions and work well for both customer-initiated and merchant-initiated transactions (CITs and MITs). Merchants storing cards on file for recurring transactions will benefit most from network tokenization. Conversely, businesses that process more one-time CIT transactions do not have the same need to store card data or manage the card lifecycle and, therefore, won’t see a substantial benefit from network tokenization.

Network Tokens Require Cryptograms

In order to achieve reduced fraud rates, network tokens utilize advanced technologies like the cyptogram. Cryptograms come into play when a network token is used in a customer-initiated transaction. This single-use string of characters is generated with the card network and paired with the individual transaction. This is an added layer of security that validates the network token transaction for customer-initiated purchases.

Cryptograms secure the transaction in real time. In just milliseconds, they validate transactions by verifying the identity of both the card and the approval from the issuer. The cryptogram functions similarly to the CVV and helps the issuer validate legitimate transactions, providing an extra layer of fraud protection.

Because network tokens are inherently more sophisticated, not all PSPs are equipped to use them, so you won’t be able to use network tokens exclusively. PSPs may also only accept network tokens they provision, though this is happening less and less.

Network Tokens Cannot Be Provisioned for All Cards

Network tokens offer promising benefits for businesses, but their broad adoption is still nascent. It is estimated that 80% to 90% of issuing banks in the U.S., Europe, and Australia have adopted network tokenization for at least some of their card programs.

While these adoption rates are growing, pairing network tokens with universal tokens ensures the right token format for the job and creates redundancies for merchant transactions. Not all payment gateways, acquiring banks, or payment service providers have the infrastructure to support network tokenization.

By nesting universal tokens alongside network tokens, merchants get the best of all worlds. They can utilize network tokens for their business while falling back to other token formats.

Provisioning Network Tokens with a PSP versus a Payment Orchestration Platform

A crucial consideration for merchants and platforms is whether to provision network tokens with a third-party vault provider (like IXOPAY) or directly with a PSP. Most PSPs (and many other payment orchestration platforms) will often not reveal the underlying network token to the merchant, which limits their value and portability. And while convenient, using a PSP can be more costly than using a provider like IXOPAY.

In order to provision network tokens, a customer must do so under what’s called a token requestor ID (or TRID). This is essentially a license from the card networks to provide network tokens. PSPs will generally provision network tokens for customers under a "shared TRID" model, while a platform like IXOPAY will provide a TRID to each customer.

A shared TRID may mean network tokens are provisioned a few days earlier, but it ties those tokens to the PSP. IXOPAY provides a TRID to each customer and reveals the network tokens to our customers so they can be used across any PSP that accepts network tokens, and a merchant can even carry them to another vault.

The key is selecting a tokenization service provider who is truly agnostic and will provision tokens on behalf of the merchant using a dedicated TRID. Almost as important is choosing a provider that releases the underlying tokens to customers when requested. Since IXOPAY provisions network tokens using TRIDs assigned to the merchant, merchants benefit from a PSP-agnostic tokenization solution without the complexity of a top-to-bottom integration with each card network.

Maximizing the Value of Network Tokens

Network tokens are clearly beneficial to businesses by reducing fraud rates, improving authorization rates, and making card acceptance easier. As a result, adoption rates are growing. However, the challenge is how to approach implementation.

While viable, provisioning network tokens with a PSP will tie those tokens to the PSP, reducing flexibility for the merchant. As we’ve stated above, maximizing the benefit of network tokens requires some additional consideration and an eye toward the future. The portability, cost-effectiveness, and broad support make working with a payment orchestrator a compelling choice in implementing network tokens.

Want to learn more about our network tokenization services? Contact us for a demonstration or read our white paper on how network tokenization enhances merchant payment strategies.

Request a Demo

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	Visitor Filter	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	Security Cookie	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	Google Analytics	Cookies are used to collect data on how visitors interact with our website. It helps us analyze website traffic and user behavior, providing insights to improve user experience. It uses identifiers like Client IDs to track user interactions across sessions (also see Google Privacy & Terms).	2 years
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	Leadfeeder	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months
Salesforce, Inc.	Salesforce Account Engagement (Pardot)	Salesforce cookies are used to support the functionality and performance of our customer relationship management (CRM) system. They help maintain session continuity, track user preferences, and store authentication details to ensure a secure and seamless user experience. These cookies also assist in tracking user interactions to improve service delivery and customer support. Also see Salesforce Cookie Information.	24 Months
ZoomInfo Technologies LLC	ZoomInfo	ZoomInfo uses cookies to enhance its B2B intelligence services by collecting and organizing data about website visitors. These cookies help track user sessions, visitor interactions, and company-level engagement to provide businesses with insights into potential leads and decision-makers. The data collected by these cookies is used solely for business-related purposes, namely lead generation and improving targeted marketing efforts.	730 days

Partner	Name	Description	Duration
Google Ireland Limited	Google Ads	Google Ads uses conversion cookies to track and measure the effectiveness of advertisements across our website and those of our marketing and advertising partners. These cookies help assess how visitors interact with our ads, enabling us to optimize campaigns and enhance targeting.	3 months
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. This cookie helps monitor user interactions and conversions, providing insights to optimize ad performance. The cookie and your IP address are transmitted to Microsoft with each HTTP request, not just through UET.	13 Months
Wistia, Inc.	Video Player	Video hosting platform that collects and analyzes data on video performance and user interaction, offering insights to help users better understand how their content is being consumed.	1 Day
6sense Insights, Inc.	6sense Predictive	6sense uses cookies to track and analyze visitor interactions, providing predictive insights and identifying potential business opportunities. These cookies collect information on user sessions, visitor behavior, and company identification. The data collected, including session activity and user identifiers, supports marketing and sales efforts by enabling targeted engagement strategies.	24 Months
Salesloft, Inc.	Salesloft CRM	Salesloft is a sales engagement platform that uses cookies to track user interactions, manage customer relationships, and streamline sales operations. These cookies enable session tracking, secure authentication, and multi-site tracking. For example, when a recipient clicks a link tracked by Live Web Tracking on scout.salesloft.com, it allows Salesloft to track activity across different websites, providing insights into customer engagement.	1000 Days