Network tokenization versus PCI tokenization: five key differences

Network tokenization versus PCI tokenization: five key differences

Andre Stoorvogel

Director, Product Marketing at Rambus Payments

Views 285

Network tokenization versus PCI tokenization: five key differences

12.06.2019 07:00 am

The concept of tokenization is not a new one in the payments industry. Solutions that replace sensitive data with a non-sensitive equivalent have been around for years in various forms.

But as the digital payments ecosystem continues to expand, it is becoming increasingly apparent that ‘payment tokenization’ solutions, such as network tokenization, can address the urgent need for increased security and reduced complexity, while promoting enhanced consumer experiences.

A short history of tokenization in the payments industry

Tokenization solutions can be broadly divided into two categories: security tokenization and payment tokenization.

Security tokenization (also known as acquirer tokenization or non-payment tokenization) approaches have traditionally been used to protect cardholder data and personally identifiable information (PII) stored in merchant databases. This is needed to enable popular consumer payment methods such as recurring billing and one-click ordering.

In comparison, PCI tokens are security tokens that comply with PCI guidelines to meet PCI DSS standards.

The publication of EMVCo’s EMV®* Payment Tokenization Specification – Technical Framework in 2014 marked the introduction of ‘payment tokenization’ to the ecosystem, and was followed by an update in 2017. The aim? To enhance the underlying security of digital payments by replacing primary account numbers (PANs) with unique EMV payment tokens. Network tokenization is a type of payment tokenization where the payment network plays the role of the token service provider (TSP) to generate tokens.

Although EMV payment tokenization found immediate success in securing in-store mobile contactless payments, Consult Hyperion predicts that it is online payments that will deliver ‘the real volume’. The question is, what differentiates network tokenization from security tokenization?

Delivering end-to-end security 

Proprietary security tokens are designed to protect sensitive information when it is ‘at rest’ within a merchant’s database after a transaction has been completed, reducing the risk and impact of a data breach.

The problem is, sensitive data is vulnerable throughout the entire payment processing chain. Not just at rest.

Neither proprietary or PCI tokens protect the consumer data while in transit or in use, introducing opportunities for fraudsters to hijack data through phishing attacks, malware and more. The rapid growth in card-not-present (CNP) fraud, despite ever-increasing investment in fraud protection, demonstrates a more fundamental, holistic approach to payment security is needed.

Below are three ways in which network tokenization can help meet those needs:

1.Securing data in transit – The main benefit of network tokenization is that card details are protected throughout the entire transaction lifecycle.

2.Domain controls – Network tokens can be restricted in their usage, for example, to a specific device, merchant, transaction type or channel. With the proliferation of new payment methods, such as online, IoT and voice, the ability to limit and control how network tokens can be used is key to preventing cross-channel fraud.

3.Reducing false declines – Since network tokenization protects card details throughout the entire transition lifecycle, issuers treat network tokenized payments as inherently more secure than non-network tokens. This can deliver numerous benefits downstream and address key pain points for merchants, by limiting fraud prevention spend, increasing approval rates and reducing false declines.

This trio of benefits are not the beginning, middle and end, however… there’s more.

4.Bridging the interoperability gap

As well as escalating security challenges, merchants must also deal with spiralling complexity.

Security tokens are limited to specific relationships, such as between a single acquirer and merchant. As the digital payments ecosystem expands, the burden of managing different proprietary tokens from multiple acquirers, payment service providers (PSPs) and gateways will become increasingly challenging.

The good news is that network tokens are globally interoperable across multiple acquirers and gateways. With the growth of omnichannel retail, consistency across different acceptance environments is a significant value-add.

We must also consider the backend impact. Security tokens are not formatted as routable PANs, so cannot be accepted as a like-for-like ‘replacement’. Network tokens are in the same format as a regular PAN, so can be accepted and routed along the normal payment rails without impacting the existing merchant systems.

5.Enabling value-added services

Hampered innovation is one of the hidden costs of fraud. Merchants want to spend their time, effort and resource on better consumer experiences, not tackling fraud.

It is true that security tokens can be effective in specific scenarios. Network tokenization offers more than just security, however, and can also be utilized to enhance the buying experience.

Digital card art to increase brand recognition, the ability to instantly refresh card details, push provisioning to enable consumers to keep track of where and when their payment credentials are being used. All these features complement the security proposition to increase convenience and reduce friction.

Network tokenization versus security tokenization?

Although often referenced interchangeably, it is apparent that security tokenization and payment tokenization solutions (such as network tokenization) are very different propositions. Both are effective solutions for their defined purposes, but we should look to network tokenization as a foundational technology enabling secure, simple digital commerce through end-to-end security, global interoperability across different acceptance environments and value-added services.

Latest blogs

Dave Smith Renovite Technologies

When It Comes to Payments, Think Inside the {Sand}box

The 21-century payments industry is part of a sector that has come to reward FIs prepared to push the boundaries by finding new, innovative ways of making money management user-friendly and convenient. Similarly, it does not suffer fools gladly. Read more »

Eddie Davis FINSYNC

Alternative Lending and Fintechs Accelerate Small Business Growth in 2019

The remarkable and rapid technological wave that has given rise to fintech and one of its biggest segments, online lending platforms, is showing no signs of slowing. Fintech-powered financing is making business lending more affordable, more Read more »

Andrew Stevens Quadient

Comment on Competition and Markets Authority’s latest customer satisfaction in banking survey

“When the CMA launched this report six months ago, it seemed a natural fit when most customers rated a bank without any branches, First Direct, as the one they would recommend to their friend for online and mobile banking services. Barclays has now Read more »

Mark Smith Ayming

Big data is AI’s big brother

Big data is AI’s big brother. While AI is driven by machine learning, big datasets fuel the intelligence engine. Banks and insurance companies have access to huge volumes of data and are looking to harness this information to drive efficiencies in Read more »

Alan Stewart-Brown Opengear

“When ATMs Go Down” – How Banks Can Achieve Network Resilience

It is a common source of annoyance for anybody in rural communities; towns and cities around the world. You visit your local bank branch’s ATM to withdraw cash or to print out a mini statement and you are met with a message informing you that the Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel