Billions of Tokens

In the 10 years since its debut, network tokenization has changed the payments industry, improving the security and versatility of digital payments.

Apple Pay, the mobile payment service from Apple Inc. that debuted in 2014, could have been a no-go if not for the development of network tokenization.

The mobile phone-based payment service needed a way to secure sensitive payment card data that would work with any U.S. card issuer. The solution was network tokenization. Publicly, work began on a standard in 2013 and the technology was ready for the October 2014 launch of Apple Pay on iPhones.

Today, network tokens extend well beyond the iPhone user base, threading their way into e-commerce transactions and card-present transactions in some use cases. Thanks to the rapid adoption of mobile payments, especially during the Covid-19 pandemic, network tokenization came into its own.

It took six years—from the 2014 launch to 2020—for Visa Inc.’s token volume to reach 1 billion, but just four years later to get to 10 billion. As of February, that figure is 12.6 billion, going up 40% year-over-year, Visa says. Mastercard Inc., too, has seen token use blossom. It took three years to reach 1 billion tokens following Mastercard’s  2014 launch of the technology, and now the card network processes 1 billion a week.

‘An Agnostic Approach’

Network tokenization is a distinct form, separate from the tokens that acquirers and other providers have long provided to help with compliance with PCI Security Standards Council requirements. It developed as a way to mitigate the risks of providing sensitive card details by “providing additional controls that limit the risk typically associated with compromised, authorized, or fraudulent use of [primary account numbers] both in-store and online,” says EMVCo, the standards body overseeing this and other payment standards.

Network tokenization not only has enabled mobile wallets like Apple Pay and Google Pay to thrive, it has also made it easier for consumers and merchant to manage subscription payments and card-on-file payments. In e-commerce, tokens better secure transactions and help reduce the risk for merchants while boosting their conversion rates.

“The real benefit of network tokenization is we are able to provide an agnostic approach,” says Jennifer Marriner, Mastercard’s executive vice president of global acceptance solutions, and make tokens available in any device, any platform, and any browser. It’s a tool that is accessible to all, and for consumers it helps ensure they have the same transaction experience in whatever way they make that transaction, Marriner says.

Given network tokenization’s development by three card networks—American Express Co. joined Mastercard and Visa in the task—the decision to stick with a 16-digit format for tokens was an easy one. Discover also provides network tokens for its cards.

“It has the same format as the 16-digit account number,” says Mark Nelsen, Visa global head of consumer products. That makes it easy for wallet providers to load a consumer’s payment credentials as if the token was like any other 16-digit account number, he says. Today, more than 40% of all Visa transactions are tokenized.

While tokenization had been a known entity, Apple’s request for something that could mask  payment card data spurred development of network tokenization. Apple came to the card brands to say it wanted to use the iPhone for mobile payments but did not want to store 16-digit account numbers in it, Nelsen says.

A Vast Ecosystem

Network tokenization is quick. Once the consumer enters the card number at a merchant’s site or app, it is replaced with a token that is then sent through to the acquirer and then on to the card network, which forwards it to the issuer for an authorization decision. Mere moments pass.

Network tokens can be tied to a specific transaction, created as a one-time stand-in for the actual card number and related data. If a merchant experiences a data breach, consumers will not have much to worry about because the tokens typically could not be reused, since they are associated with, say, an online transaction made at 4:37 p.m. Jan. 2, 2024, using retailer XYZ’s mobile app.

A criminal trying to use that token 11 months later would be thwarted and find it unusable. Each token is unique in all aspects. Because these tokens are at the network level, card information can easily be updated.

Tokenization has three main components, says Michelle Kosir, head of product marketing at NMI, a Schaumburg, Ill.-based payments and gateway provider. There’s the tokenization engine, which is responsible for generating unique tokens and managing their lifecycle and ensuring they remain closely integrated with payment-processing services.

The token vault is the highly secure database that maintains the mapping between tokens and their corresponding original card data, “safeguarding this information against unauthorized access,” Kosir says.

The third component is the payment-ecosystem integration. This ability “allows the use of tokens across different payment environments, ensuring secure and smooth processing while preserving data integrity throughout the transaction journey,” she says.

The tokenization ecosystem is vast. It includes merchants, payment networks, token service providers, digital wallet providers, financial institutions that issue credit and debit cards, and issuer processors like Fiserv Inc., says Patrick Davie, Fiserv head of card services.

“Merchants and digital-wallet providers like Apple, Samsung, and Google interface with the token-service providers to provision unique tokens for the credit, debit, or private-label cards issued by the financial institution,” Davie says. “The token is stored either at the merchant or in the digital wallet, and when the cardholder presents their digital wallet for payment or elects to store their card on file at a merchant it is actually using the specific provisioned token for payment instead of the real card number.”

“The payment network acquires the transaction and interfaces with the [token service provider], who swaps out the token received from the merchant to the real card number to the issuer processor for authorization,” Davie continues. “The issuer processor replies with an approval or denial back to the payment network, who interfaces with the TSP to swap the real card number back to the token prior to replying to the merchant.”

With this as the foundation, network tokenization use is still growing. Mastercard has set a goal of tokenizing all its card numbers for online transactions globally by 2030, a move that could make obsolete the need for physical card numbers, passwords, and one-time codes for online purchases. Visa is similarly invested in the benefits of network tokenization, but has not issued a similar goal date.

Personalized Commerce

For all the things it can do, network tokenization cannot solve all the fraud problems in payments.

“Tokenization is not going to prevent some of the social-engineering type of fraudsters,” Marriner says. “There are still phishing attacks.” Phishing emails attempt to dupe recipients into clicking what appears to be a legitimate link to trick them into divulging information. “It can’t help directly with that,” she says. But fraudsters target the weakest link, and tokenization does a lot to boost digital-payment security.

“Tokenization is great for securing stored card data, but it’s not a catch-all solution for fraud prevention,” Kosir says. “This payment technology primarily addresses the security of stored card data, but is limited in protecting against methods like phishing attacks or account takeovers, which typically occur when credentials are stolen during the initial data-entry phase. Additionally, while tokenization safeguards data through anonymization, it does not authenticate the cardholder’s identity.”

NMI added support for network tokenization earlier this year with the aim of reducing operational costs by lowering interchange fees, increasing acceptance rates, and minimizing chargebacks, Kosir says.

Tokenization could be especially helpful as criminals adopt artificial-intelligence capabilities to make their attacks harder to identity or to counter.

“With hackers utilizing new technologies like AI to try to access data, companies need to operate on the mindset that it’s not if they’ll suffer a breach, it’s when,” says Brent Johnson, chief information security officer at Bluefin Payment Systems LLC, an Atlanta-based payments and security technology provider.

“If hackers compromise a system and the data is tokenized, all they will be able to see is the randomly generated token, which is useless to them,” he continues. “This is all the more important today as organizations are looking to store more customer data, like [personally identifiable information], to create more personalized commerce experiences.”

Identity is Next

Network tokenization hasn’t necessarily steered fraudsters to other payment channels, says Maanas Godugunur, senior director of fraud and identity at LexisNexis Risk Solutions, an Atlanta-based risk management provider, because criminals always move to where customers go. “As the adoption of digital wallets and tokenization grows, fraudsters identify and exploit vulnerabilities,” Godugunur says.

In the years to come, network tokenization likely will extend beyond protecting necessary payment data and could include other data, like the personally identifiable information Johnson mentions.

“Payment security will always be a key use case of tokenization, but the use of tokenization is evolving to help businesses create a more connected, personalized omnichannel customer experience for consumers, made possible through the increased amount of tokenized customer data businesses are storing,” Bluefin’s Johnson says.

Visa’s Nelsen also sees more utility as tokenization evolves. “The way we see it is historically the payment token was given to merchants and has just been used for payments,” he says, but it could be used to add personalization preferences for consumers. “You could share personal preferences, and we can put that into the token itself,” he says. For example, a token could hold an individual’s preference for hotel chains when used at an online travel site or a list of hotels like ones the individual has previously booked.

At Mastercard, Marriner says the next step in tokens will be identity. Tokens could be used for consent and data and asset management, she says.

A Widening Horizon

Kosir says tokenization will become more integrated into the broader payments ecosystem. “We see it playing a bigger role in omnichannel commerce, subscription billing for software providers, and digital-wallet solutions,” she says. “As this technology evolves beyond conventional credit-card usage to encompass areas such as bank transfers, loyalty programs, and even blockchain applications, tokenization’s role in bolstering transaction security and offering flexible payment solutions will only intensify.”

Other potential uses include Web-push provisioning, which allows cardholders to provision tokens directly from Web interfaces without app downloads, says Lisa Hrabosky, vice president of bank and network partnerships at Marqeta Inc., an issuing platform.

And there are yet other use cases, such as in-store and with alternative payments methods, like QR codes. There’s an opportunity to integrate tokens with emerging payment models that could involve subscription services, wearables, and Internet of Things payments, along with improving interoperability across platforms and devices.

And at Milwaukee-based Fiserv, Davie says time will help expand the possibilities. “As payments continue to evolve, the use of tokenization will likely increase as well. It’s hard to ignore the importance of tokenization of sensitive card data,” Davie says.

“With time, the use of digital wallets, mobile payments, virtual or digital cards will increase, and so will the need for tokenization,” he continues. “Also, combining tokenization with existing fraud-prevention tools using AI or machine learning will benefit merchants and issuers by helping minimize fraud and further strengthen the overall tokenization model.”

The utility of tokenization will help increase use of the technology even in areas outside of payments, such as health care.

“In addition to collecting more [personally identifiable information], the rise of telehealth and other online medical services has led companies to collect and store more protected health information (PHI) within their systems as well,” says Johnson. “Given the sensitivity of PII and PHI, it’s critical that this data is tokenized so it is not accessible to hackers in the event of a breach.”

“Overall,” Johnson adds, “using tokenized data to enhance the customer experience to meet customers’ unique needs is the next evolution of how companies will use tokenization.”