98% of merchants have experienced fraud over the past year. Reducing these incidents remains a top priority for sellers over the coming year. Additionally, as payment preferences continue to change and adapt, bad actors learn how to exploit new vulnerabilities. Merchants need to remain vigilant in protecting customer data while ensuring the customer experience remains seamless.
To keep up with customer expectations, merchants need to continue offering the digital payment methods consumers want to use. But as cybercriminals increasingly target these offerings, organizations have a responsibility to keep sensitive data safe. So, how can businesses avoid payment fraud? Payment security experts believe it is tokenization.
Key Takeaways
- Network tokenization replaces the primary account number (PAN) by a card issuer.
- Network tokenization is a valuable tool for protecting payment data and can add additional security.
- Network tokenization and PCI tokenization can work together to ensure customer data remains safe from bad actors.
The Origins of Tokenization
The world has long used tokenization to protect forms of payment. In earlier days, it was more physical, replacing actual money with banknotes, coins, casino chips or bus tokens. Fast forward to the early 2000s, where credit card payment transactions pass card numbers, expiration dates, and CVV from one party to another – from card holder, to merchant, processor, card networks and banks – creating several potential points of data exposure and the perfect breeding ground for cyber criminals to steal sensitive data.
Enter payment card tokenization. First created by TrustCommerce in 2001 for their client Classmates.com, this concept allowed Classmates.com customers to reference a token in place of their valuable card data for payment, rendering the data useless to hackers if the data was stolen.
Since then, card issuers and merchants have adopted the technology, and tokenization has continued to bring unprecedented convenience and security to digital payments. Recently, network tokenization has become an increasingly important way for merchants to protect consumer data.
What is Network Tokenization?
Network tokenization refers to payment credit card tokenization that is offered by payment brands like Visa, Mastercard, American Express, and Discover, which replaces the primary account number (PAN) and other card details with a token provided by the card brand.
Left with a small window of opportunity for fraud, cybercriminals are quick to capitalize on the vulnerabilities of PCI tokenization. With the boom in e-commerce, we have seen card networks close this “fraud window” with this updated and more secure payment card tokenization. By using both PCI tokenization and network tokenization, merchants can achieve a strong level of compliance and security across their payment platforms.
An Overview of PCI Tokenization
Tokenization has evolved throughout the years, but in the beginning, PCI tokenization was introduced by the PCI Security Standards Council as a method to reduce exposure of card information for e-commerce merchants.
PCI tokenization creates a mapping between credit card data and the token created to represent that data. Payment card tokenization removes sensitive information from the merchant’s internal system and replaces it with a one-of-a-kind token that is unreadable, even if hackers manage to breach the system. The token is usually a random sequence of numbers or letters that the organization’s internal systems use, while the original data can be retrieved securely by a merchant’s payment processor/gateway.
How PCI Tokenization Works
Below are the steps for an effective tokenization process:
- Merchant registers a card number with payment service (aka processor) tokenization system
- Processor returns the token to the merchant
- When the merchant wants to issue a transaction against the card, they pass the token to the processor
- The processor swaps the token for the card number and sends it to the card network, where it is then passed to issuing bank to complete the authorization.
While tokenization allows the merchant to safely store the token, assisting in PCI scope reduction, the process still transmits cardholder data at payment gateways and processors. Since the card number is tokenized at one endpoint and not the entire payment ecosystem, the card number, expiration data, and CVV are still being passed along to the various parties involved in the payment transaction, creating points within the transaction flow where the card number could be exposed.
Benefits of Network Tokenization
Additional Security
With network tokenization, there is an additional layer of security added, as a cryptogram is generated by the card network for each Consumer Initiated card authorization. The cryptogram is unique to the token, merchant, and individual transaction, which helps to validate the transaction for the bank while proving the authenticity of the card.
Network tokenization shields the actual card information from all parties involved in the transaction flow, which increases the security of the end-to-end payment ecosystem.
Better Customer Experience
One token exists for each card and updates automatically if the card expires or is replaced. This creates a more seamless customer checkout experience.
Improved Authorization Rates
False declines are a top concern for many merchants. In fact, it’s estimated that false declines are costing merchants $8.6 billion annually.
These errors typically occur due to issues with identity, which can include incorrect CVV information, or structural issues, which can be the result of hypervigilant fraud systems. Network tokenization can improve these rates, with merchants who participated in a pilot seeing a 5-8% reduction in false declines.
Cost Savings
Merchants will be able to save money due to fewer declines and reduced interchange rates due to a decrease in fraud
Shift in Liability
Merchants do not bear the responsibility for fraud charges. This is important since data breaches can impact companies of all sizes. In 2023, MOVEit was heavily impacted by a data breach, which resulted in 77 million records breached and $12 billion in damages. These damages can be expensive for organizations, so having additional measures in place to protect data is imperative in today’s business environment.
End-to-End PAN Replacement
Network tokenization replaces the PAN at the card network level. The token is collected at the payment gateway and is used for payment. These tokens are often limited to a specific domain or merchant, allowing for extra security for the customer.
How Network Tokenization Works
Network Tokenization Transaction Flow
Network tokenization involved the following steps:
A Network Token is Requested
The process begins when a customer enters payment details on a merchant’s website.
Once this occurs, the network token is requested by the merchant or payment gateway. The card network replaces the information with a token that is used throughout the payment process.
Token Storage for Later Use
The PAN is never stored. Instead, the token is used, which can be used at a later date for future purchases.
Payment is Made
Instead of using a PAN, a network token is used to make payments on behalf of a customer.
Card Network Authorizes the Payment
The card network will validate the token and authorize payment with the bank. The issuing bank never sees the token on their end.
The Differences between PCI Tokenization and Network Tokenization
While PCI tokenization and network tokenization may sound similar, both of these systems work differently to protect customer data. Below are key differences to consider.
Token Management
For PCI tokenization, the token is issued by a payment gateway, while network tokenization is facilitated by the card network.
PAN Replacement
Network tokenization differs from PCI tokenization in that it replaces the PAN across the entire payment ecosystem instead of at just one specific endpoint. When only using PCI tokenization, the PAN is only replaced across merchant systems. Tokens may not be recognized at the card issuer level, which can create gaps in a data security policy.
Purpose
PCI tokenization focuses primarily on internal data security, which can include recurring billing, CRM integration, and storage of card information. Network tokenization focuses on the entire process from issuance to processing.
| PCI Tokenization | Network Tokenization | |
|---|---|---|
| Token Management | Payment gateway platform | Card network |
| PAN Replacement | Across all merchant systems | Across the entire network. |
| Purpose | Internal data security. Protects data while in transit or while in storage | Protects data over the entire lifecycle |
| Data Protected | Payment data, Protected Health Information (PHI) and Personally Identifiable information (PII) | Payment data |
The Combined Benefits of PCI Tokenization and Network Tokenization
PCI tokenization and network tokenization can work together to strengthen data security. Below are some of the benefits of combining these tactics together:
PCI Scope
On its own, network tokenization does not reduce PCI scope. In order to achieve this, it will need to be paired with PCI tokenization.
Improve Compliance
It’s important that companies be able to protect PII and PHI, especially if they operate in highly regulated industries such as government or healthcare.
While network tokenization can add an additional layer of protection to payment data, PCI tokenization will also be needed to protect other important customer information. PCI validated tokenization can also help merchants remain in compliance with other government regulations such as GDPR and HIPAA.
Prevent Fraud
Network tokenization and PCI tokenization work together to prevent payment data from being misused by bad actors, while protecting data in storage.
Protect Customer Data through Tokenization with BlueFin
Bluefin, the leader in secure payment technology for encryption and tokenization technologies, understands that as digital payments evolve, technology to protect sensitive data needs to evolve as well.
As the first company to earn PCI-validation for their point-to-point (P2PE) solution in 2014, Bluefin added their ShieldConex® tokenization platform in 2020 to their integrated payment and data security offerings. ShieldConex secures PII (Personal Identifiable Information), PHI (Protected Health Information) card payment information entered online.
Bluefin has adopted Visa’s network tokenization, Token ID, through the ShieldConex platform and their PayConex™ payment gateway, providing flexibility for their customers by tokenizing any type of data, while serving as a gateway for network.
Learn more about Bluefin’s ShieldConex to get started.
