A deep dive on tokens

This is how purchases are still made today, and it’s remarkably effective, whether one is making a purchase in Istanbul or Indianapolis. What we are increasingly seeing, however, is that a wholesaler from Indianapolis may want to purchase, say, a 40-foot container of rugs from a vendor in Istanbul, and both parties want the transaction to be seamless, secure, and digital.

Tokenization, which enables cardholders to keep their credit card data private and merchants to have a comprehensive view of their working capital, has delivered everything the four-party model expects plus additional security and frictionless payment experiences.

Token overview

Let’s step back and understand what tokens are, what their purpose is, and how businesses may not even realize the frequency with which they are already using them.

Network tokens are meant to facilitate online payments or F2F (face-to-face) payments completed via digital wallets. They are a secure way to digitize card data via digital wallets, virtual cards, or card-on-file. They are chosen for their payment security and their related boost to transaction authorization rates, reassuring all involved (save the hackers). Today, for example, over 8000 issuers are enabled for tokenization, with over 200 markets empowered with the technology globally. In the last 12 months, over 1.5 million eCommerce merchants transacted with Visa Tokens every day.¹

We are finding, on average, that token-based transactions drive a 30 percent reduction in fraud online vs. PAN (16-digit card number) and a four percent uplift in authorization.² What Visa has seen is payment issues can cause up to 44 percent of digital abandonment; tokenization can mitigate these concerns.³ Visa is seeing a more than three percent authorization rate lift with tokens for Card-not-Present (CNP) transactions.⁴

To understand how tokens work, let’s take mobile wallet F2F payments as an example

When you add your Visa credit card to your digital wallet and use it to pay, your 16-digit card number (PAN) is replaced with a randomized set of digits. This payment token or Device Account Number (DAN) keeps your PAN secure. The DAN is, like the name suggests, device specific. So even if you add the same card details to your phone and your tablet, each one will have a separate DAN. All of this means that even if there is a breach of token data, a hacker can’t use it. Tokens also provide a unique cryptogram for every transaction, providing further security to each transaction. This is particularly important for CNP transactions as it adds an additional layer of security.

Tokens are subject to 3DS 2.0 protocol, the payment industry’s operational security authentication protocol for CNP payments. (For F2F transactions, authentication is delivered via PIN or face ID.) The protocol is applied in the issuer domain, the acquirer domain, and the payment network domain, hence 3D. The 2.0 protocol was developed to facilitate strong customer authentication processes and secure communication. It is why many online transactions today require a one-time password or code sent via email or SMS, and F2F transactions may require the same or biometric authentication, whether via fingerprint or face scan.

Having an industry-wide system is important because each payment transaction made with a token typically involves multiple tokens, and they all need to be able to “talk” to one another.

Network tokens

As mentioned above in relation to mobile wallets, network tokens replace sensitive card data, like the PAN, with a token, adding a unique cryptogram to each transaction for additional security. This network token replaces the PAN throughout the transaction, from merchant to Payment Service Provider (PSP) to card network. Another noteworthy aspect of network tokens is that they aren’t specific to a processor, and so they work across the payments ecosystem. They are also both randomized and individualized to a merchant.

Merchants can leverage network tokens to protect online transactions, optimize authorizations, and create a better payment experience for customers. Visa’s token CNP transactions have seen a 4.6 percent lift in authorization rates globally, compared to PAN.⁵ Higher authorization rates and fewer false declines improve customer experiences and increase sales opportunities for businesses.⁶

Network tokens overall provide enhanced security, reduced data exposure, and up-to-date information. Networks, like Visa, take on the role of checking with the issuer to confirm the underlying card tied to the token is a valid credential. For merchants, this helps reduce the risk of failed transactions.

1. Visa - Visa Issues 10 Billionth Token, Generating $40 Billion in Incremental E-commerce Globally.
2. Visa Risk Datamart, Global, FY22 Q1–Q4 Token Fraud Rate vs PAN Fraud Rate by PV for merchants with over 1,000 CNP token transactions per month per country. Merchant’s individual results may vary.
3. Euromonitor International, Voice of the Consumer: Digital Survey, March 2021.
4. VisaNet, Jan–Mar 2022. Visa credit and debit global card-not-present transactions for tokenized vs. non-tokenized credentials. Auth rate is defined as approved authorizations divided by total authorization attempts based upon first attempt of a unique transaction.
5. Visa Risk Datamart, Global, FY22 Q1–Q4 Token Fraud Rate vs PAN Fraud Rate by PV for merchants with over 1,000 CNP token transactions per month per country. Merchant’s individual results may vary.
6. Additional Use Cases Token ID_V (visa.com).