Network Token

What Is a Network Token?

A network token is a unique payment credential issued by a card network (Visa, Mastercard, American Express) that replaces a cardholder's actual card number for digital transactions. Defined by the EMVCo Payment Tokenisation Specification, it is a 13-19 digit, Luhn-valid number that looks and validates like a standard card number but maps to the real PAN only inside the network's secure token vault.

Each network token is domain-restricted: it is tied to a specific merchant, device, channel, or transaction type. A token issued for one online merchant cannot be used at another merchant or in a physical store. If the token is intercepted or leaked, it is useless outside its authorized domain.

The concept launched in 2014 when Visa introduced the Visa Token Service (VTS) alongside Apple Pay. Today, Visa has issued over 15 billion tokens, and roughly 50% of global e-commerce transactions are tokenized. Industry projections estimate tokenized transactions will double from 283 billion in 2025 to 574 billion by 2029.

How It Works

Network tokenization involves five key participants: the cardholder, the token requestor (the merchant or wallet), the Token Service Provider (the card network), the issuer bank, and the acquirer.

Token Provisioning

When a customer saves a card at an online merchant or adds it to a mobile wallet, the provisioning flow begins:

1. The merchant or wallet (the token requestor) submits the card details (PAN, expiry, CVV) to the card network's Token Service Provider
2. The TSP forwards the request to the issuing bank, which approves or denies the tokenization based on fraud risk checks
3. Upon approval, the TSP generates a unique network token mapped to the PAN in its secure vault and assigns a Token Assurance Level reflecting confidence in the cardholder verification
4. The token is returned to the merchant or wallet for storage in place of the raw card number

Each token requestor receives an 11-digit Token Requestor ID (TRID) from each card network. Registration typically takes two weeks to two months.

Transaction Authorization

When a customer makes a purchase using a stored card, the tokenized authorization flow replaces the traditional PAN-based flow:

1. The merchant submits the network token and a transaction-specific cryptogram (TAVV or DTVV) to the acquirer
2. The acquirer forwards the token and cryptogram to the card network
3. The card network validates the domain restrictions and cryptogram, then de-tokenizes the token back to the real PAN in the token vault
4. The network forwards the PAN along with token metadata to the issuer for authorization
5. The issuer authorizes the transaction, using the network token verification as an additional trust signal
6. The response flows back through the chain to the merchant

Cryptogram Generation

Each network token transaction includes a single-use cryptogram that ties the token to the specific merchant and transaction. The two primary types are:

• TAVV (Token Authentication Verification Value): a 20-byte Base64-encoded value used by Visa for e-commerce token transactions
• DTVV (Dynamic Token Verification Value): an alternative cryptogram type used in certain token transaction flows

Cryptograms are generated fresh for every authorization request and cannot be reused, even if the transaction is declined. This makes intercepted tokens worthless because a valid cryptogram cannot be forged or replayed.

Token Lifecycle Management

One of the most valuable features of network tokens is automatic lifecycle management, known as Card Account Lifecycle Management (CALM). When a cardholder's underlying card changes, the network token handles updates automatically:

• Card reissue or replacement (lost, stolen, expired): the token remains active while the underlying card data updates in the vault
• Expiration: the token stays active with its own expiry, independent of the card's physical expiration date
• De-provisioning: the merchant or issuer can delete a token via API, permanently removing its mapping

CALM replaces the legacy Account Updater service, which relied on batch files with up to 48-hour delays and cost approximately $0.25 per card update. Network token lifecycle updates are near-real-time and included at no additional cost.

Example: Tokenized Authorization Request

// Simplified tokenized e-commerce authorization
{
  "token": "4000000000001234",       // Network token (not the real PAN)
  "token_expiry": "12/2028",
  "cryptogram": "AgAAAAAABk4DcAoTa...", // TAVV (single-use)
  "eci": "07",                       // E-commerce indicator
  "token_requestor_id": "40012345678",
  "amount": 4999,
  "currency": "USD",
  "merchant_id": "MERCHANT_12345"
}

// The card network de-tokenizes before sending to the issuer:
{
  "pan": "4111111111111111",         // Real PAN (never seen by merchant)
  "token_assurance_level": "03",     // High confidence in cardholder binding
  ...
}

Network Tokens vs. Gateway Tokenization

Many merchants already use tokenization through their payment gateway or PSP. Gateway tokens and network tokens solve different problems and can work together.

Many PSPs now provision network tokens behind the scenes. A merchant using Stripe, for example, may have both a Stripe token (for internal reference) and a network token (for higher authorization rates) mapped to the same card.

Use Cases

E-Commerce Card-on-File

The primary use case for network tokens is card-not-present transactions where merchants store card credentials for repeat purchases. Subscription services, marketplaces, and any merchant with returning customers benefit from tokenized card-on-file storage. The automatic lifecycle updates eliminate failed recurring payments when cards are reissued, which merchants report increases retention by up to 7.5%.

Mobile Wallets and Contactless Payments

When a card is added to Apple Pay, Google Pay, or Samsung Pay, the wallet provider requests a network token from VTS or MDES. The token (sometimes called a Device PAN or DPAN) is stored on the device in a Secure Element or via Host Card Emulation. At contactless terminals, the device transmits the network token with a dynamic cryptogram via NFC, never exposing the real card number.

Recurring and Subscription Billing

Subscription businesses face significant churn from involuntary payment failures caused by expired or reissued cards. Network tokens solve this with CALM: when a card is replaced, the token automatically updates without merchant or cardholder intervention. This eliminates a major source of passive churn in subscription models.

Cross-Processor Portability

Unlike PSP-specific tokens, network tokens are portable across payment processors. A merchant switching from one acquirer to another can continue using the same network tokens without re-collecting card details from customers. This reduces the operational cost and customer friction of processor migrations.

Why It Matters

Network tokens deliver measurable improvements across three dimensions that directly impact merchant revenue:

• Authorization rate lift: Visa reports a 4-6% improvement in card-not-present authorization rates for tokenized transactions compared to PAN-based transactions, translating to an estimated $110 billion in incremental merchant sales in 2024 alone
• Fraud reduction: Visa data shows up to 26-30% reduction in fraud on tokenized transactions, driven by domain restriction and per-transaction cryptograms that make stolen tokens unusable
• Interchange savings: Visa offers a 10 basis point interchange reduction on consumer credit card CNP transactions that use network tokens

The card networks are moving aggressively to make tokenization the default. Mastercard committed in June 2024 to eliminating manual card number entry for all online payments in Europe by 2030, combining network tokens with Click to Pay and payment passkeys. Mastercard also charges penalty fees on non-tokenized card-on-file transactions through its Credential Continuity Program, which increased the per-transaction fee to $0.09 for recurring transactions using outdated credentials in the U.S. starting April 2025.

For a deeper analysis of how these economics play out for merchants, see the research article on card network economics and the guide to merchant payment acceptance costs.

Token Service Providers

Each major card network operates its own Token Service Provider:

• Visa Token Service (VTS): launched in 2014 as the first network TSP, VTS manages provisioning, de-tokenization, lifecycle updates, and cryptogram validation. It includes the Cloud Token Framework for enhanced e-commerce security with device-level cardholder authentication.
• Mastercard Digital Enablement Service (MDES): Mastercard's integrated platform for issuers, wallet providers, and merchants. For e-commerce card-on-file, Mastercard brands this as Secure Card on File (SCOF). In 2024, Mastercard launched MDES Token Connect to enable tokenization through issuer banks' mobile banking apps.
• American Express Token Service: Amex operates its own TSP following the same EMVCo specification, issuing tokens for Amex cards across digital wallets and e-commerce.

The TSP generates and stores the token-to-PAN mapping, enforces domain restrictions, manages lifecycle events, and validates cryptograms during authorization. The Payment Account Reference (PAR) is a non-financial identifier that links all tokens back to the original PAN, enabling downstream services like loyalty programs and analytics to correlate activity without exposing the actual card number.

Risks and Considerations

Issuer Support Gaps

Network token effectiveness depends on issuer participation. While over 90% of issuers in North America and EMEA support tokenization, coverage drops to around 40% in some emerging markets. Merchants operating globally must maintain PAN-based fallback processing for regions with incomplete issuer support.

Implementation Complexity

Adopting network tokens requires integration with each card network's TSP, obtaining Token Requestor IDs (a process that can take weeks to months), and managing token lifecycle events. Many merchants rely on their payment gateway or PSP to handle this complexity rather than integrating directly with VTS and MDES.

Dual-Token Management

Merchants using PSP tokenization alongside network tokens must manage two layers of token mappings. A single stored card may have a PSP token (for the merchant's internal reference), a network token (for authorization), and a PAR (for cross-token correlation). This adds operational complexity to payment infrastructure.

Regulatory Variation

India mandated full card-on-file tokenization in October 2022, achieving 100% issuer support. Other markets have no such mandates, creating an uneven global landscape. Merchants must track evolving regulations and network mandates across each market they operate in, alongside related requirements like 3D Secure authentication.

Centralization of Trust

Network tokenization concentrates the token vault and de-tokenization infrastructure within the card networks themselves. This deepens merchant dependence on Visa and Mastercard infrastructure. Alternative payment methods, including stablecoin payment rails and account-to-account transfers, offer different trust models: for example, stablecoin payment rails settle peer-to-peer without intermediary token vaults.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.