How payments work
Making a card purchase involves a four-party model: issuer, cardholder, acquirer, and merchant.
Issuers
Cardholders
Acquirers
Merchants
This is how purchases are still made today, and it’s remarkably effective, whether one is making a purchase in Istanbul or Indianapolis. What we are increasingly seeing, however, is that a wholesaler from Indianapolis may want to purchase, say, a 40-foot container of rugs from a vendor in Istanbul, and both parties want the transaction to be seamless, secure, and digital.
Tokenization, which enables cardholders to keep their credit card data private and merchants to have a comprehensive view of their working capital, has delivered everything the four-party model expects plus additional security and frictionless payment experiences.
— Ryan McInerney, CEO, Visa Inc.
Token overview
Let’s step back and understand what tokens are, what their purpose is, and how businesses may not even realize the frequency with which they are already using them.
Network tokens are meant to facilitate online payments or F2F payments completed via digital wallets. They are a secure way to digitize card data via digital wallets, virtual cards, or card-on-file. They are chosen for their payment security and their related boost to transaction authorization rates, reassuring all involved (save the hackers). Today, Visa, for example, operates tokens in 198 countries and across thousands of issuers and merchants. We are finding, on average, that token-based transactions drive a 30 percent reduction in fraud online vs. PAN (16-digit card number) and a four percent uplift in authorization.¹ What Visa has seen is payment issues can cause up to 44 percent of digital abandonment; tokenization can mitigate these concerns.² Visa is seeing a more than three percent authorization rate lift with tokens for Card-not-Present (CNP) transactions.³
-
When you add your Visa credit card to your digital wallet and use it to pay, your 16-digit card number (PAN) is replaced with a randomized set of digits. This payment token or Device Account Number (DAN) keeps your PAN secure. The DAN is, like the name suggests, device-specific. So even if you add the same card details to your phone and your tablet, each one will have a separate DAN. All of this means that even if there is a breach of token data, a hacker can’t use it. Tokens also provide a unique cryptogram for every transaction, providing further security to each transaction. This is particularly important for CNP transactions as it adds an additional layer of security.
Tokens are subject to 3DS 2.0 protocol, the payment industry’s operational security authentication protocol for CNP payments. (For F2F transactions, authentication is delivered via PIN or face ID.) The protocol is applied in the issuer domain, the acquirer domain, and the payment network domain, hence 3D. The 2.0 protocol was developed to facilitate strong customer authentication processes and secure communication. It is why many online transactions today require a one-time password or code sent via email or SMS, and F2F transactions may require the same or biometric authentication, whether via fingerprint or face scan.
Having an industry-wide system is important because each payment transaction made with a token typically involves multiple tokens, and they all need to be able to “talk” to one another.
Network tokens
As mentioned above in relation to mobile wallets, network tokens replace sensitive card data, like the PAN, with a token, adding a unique cryptogram to each transaction for additional security. This network token replaces the PAN throughout the transaction, from merchant to Payment Service Provider (PSP) to card network. Another noteworthy aspect of network tokens is that they aren’t specific to a processor, and so they work across the payments ecosystem. They are also both randomized and individualized to a merchant.
Merchants can leverage network tokens to protect online transactions, optimize authorizations, and create a better payment experience for customers. Visa’s token CNP transactions have seen a 4.6 percent lift in authorization rates globally, compared to PAN.⁵ Higher authorization rates and fewer false declines improve customer experiences and increase sales opportunities for businesses.
Network tokens overall provide enhanced security, reduced data exposure, and up-to-date information. Networks, like Visa, take on the role of checking with the issuer to confirm the underlying card tied to the token is a valid credential. For merchants, this helps reduce the risk of failed transactions.
The use of Visa network tokens present (CP) transactions
Visa network tokens replace the PAN in the payment message, helping to protect sensitive cardholder details throughout the payment journey.
Understanding how different card types interrelate with tokenized payments
Card present (CP)
Card Present (CP) is when the card holder, the payment device, and the card are physically present at the terminal. These are often known as face-to-face transactions (F2F). This included swipe-to-pay, which is a non-tokenized payment and tap-to-pay, which is a tokenized payment. When you use your card at a supermarket, even if you tap to pay, that’s CP.
Card not Present (CNP)
Card not Present (CNP) is when the card number is inputted by a means other than F2F. For example, if you’re paying via the internet, mail order, telephone, guest checkout, virtual card or with a card on file, that’s CNP. If you’re purchasing food via your car’s payment system before heading to a drive-thru, that’s CNP, because you’re not near the payment device.
Virtual cards
Virtual cards are created from a physical account number as a single-use digital-only card, in order to protect the physical account number and allow reconciliation back to an original physical account number. Virtual cards are always CNP because there is no physical card issued.
Digital cards
Digital cards (otherwise known as connected cards) are where you provision a CP, CNP, or digital card onto a mobile phone’s digital wallet. All payments uploaded to a mobile wallet use tokens. It can be used to make payments as CP if tap-to-pay is used on a device at the time of payment. Anytime you’re using a digital card, that’s a tokenized payment, whether digital, CNP, or CP.
About the author
Darren Parslow
Global Head, Visa Commercial Solutions
Visa Commercial Solutions Knowledge Hub
A dedicated space for banks, financial institutions, and fintechs to find the latest thought leadership. The Knowledge Hub is the best place to find new research-driven content.
- VisaNet, Oct–Dec 2022. Visa credit and debit global card-not-present transactions for tokenized vs. non-tokenized credentials. Auth rate is defined as approved authorizations divided by total authorization attempts based upon first attempt of a unique transaction.
- Euromonitor International, Voice of the Consumer: Digital Survey, March 2021
- VisaNet, Jan–Mar 2022. Visa credit and debit global card-not-present transactions for tokenized vs. non-tokenized credentials. Auth rate is defined as approved authorizations divided by total authorization attempts based upon first attempt of a unique transaction.
- EMARKETER, Worldwide Retail Ecommerce Forecast 2025.
- Visa Risk Datamart, Global, FY22 Q1–Q4 Token Fraud Rate vs PAN Fraud Rate by PV for merchants with over 1,000 CNP token transactions per month per country. Merchant’s individual results may vary.