Network tokenization versus PCI tokenization: five key differences

Network tokenization versus PCI tokenization: five key differences

Andre Stoorvogel

Director, Product Marketing at Rambus Payments

Views 554

Network tokenization versus PCI tokenization: five key differences

12.06.2019 07:00 am

The concept of tokenization is not a new one in the payments industry. Solutions that replace sensitive data with a non-sensitive equivalent have been around for years in various forms.

But as the digital payments ecosystem continues to expand, it is becoming increasingly apparent that ‘payment tokenization’ solutions, such as network tokenization, can address the urgent need for increased security and reduced complexity, while promoting enhanced consumer experiences.

A short history of tokenization in the payments industry

Tokenization solutions can be broadly divided into two categories: security tokenization and payment tokenization.

Security tokenization (also known as acquirer tokenization or non-payment tokenization) approaches have traditionally been used to protect cardholder data and personally identifiable information (PII) stored in merchant databases. This is needed to enable popular consumer payment methods such as recurring billing and one-click ordering.

In comparison, PCI tokens are security tokens that comply with PCI guidelines to meet PCI DSS standards.

The publication of EMVCo’s EMV®* Payment Tokenization Specification – Technical Framework in 2014 marked the introduction of ‘payment tokenization’ to the ecosystem, and was followed by an update in 2017. The aim? To enhance the underlying security of digital payments by replacing primary account numbers (PANs) with unique EMV payment tokens. Network tokenization is a type of payment tokenization where the payment network plays the role of the token service provider (TSP) to generate tokens.

Although EMV payment tokenization found immediate success in securing in-store mobile contactless payments, Consult Hyperion predicts that it is online payments that will deliver ‘the real volume’. The question is, what differentiates network tokenization from security tokenization?

Delivering end-to-end security 

Proprietary security tokens are designed to protect sensitive information when it is ‘at rest’ within a merchant’s database after a transaction has been completed, reducing the risk and impact of a data breach.

The problem is, sensitive data is vulnerable throughout the entire payment processing chain. Not just at rest.

Neither proprietary or PCI tokens protect the consumer data while in transit or in use, introducing opportunities for fraudsters to hijack data through phishing attacks, malware and more. The rapid growth in card-not-present (CNP) fraud, despite ever-increasing investment in fraud protection, demonstrates a more fundamental, holistic approach to payment security is needed.

Below are three ways in which network tokenization can help meet those needs:

1.Securing data in transit – The main benefit of network tokenization is that card details are protected throughout the entire transaction lifecycle.

2.Domain controls – Network tokens can be restricted in their usage, for example, to a specific device, merchant, transaction type or channel. With the proliferation of new payment methods, such as online, IoT and voice, the ability to limit and control how network tokens can be used is key to preventing cross-channel fraud.

3.Reducing false declines – Since network tokenization protects card details throughout the entire transition lifecycle, issuers treat network tokenized payments as inherently more secure than non-network tokens. This can deliver numerous benefits downstream and address key pain points for merchants, by limiting fraud prevention spend, increasing approval rates and reducing false declines.

This trio of benefits are not the beginning, middle and end, however… there’s more.

4.Bridging the interoperability gap

As well as escalating security challenges, merchants must also deal with spiralling complexity.

Security tokens are limited to specific relationships, such as between a single acquirer and merchant. As the digital payments ecosystem expands, the burden of managing different proprietary tokens from multiple acquirers, payment service providers (PSPs) and gateways will become increasingly challenging.

The good news is that network tokens are globally interoperable across multiple acquirers and gateways. With the growth of omnichannel retail, consistency across different acceptance environments is a significant value-add.

We must also consider the backend impact. Security tokens are not formatted as routable PANs, so cannot be accepted as a like-for-like ‘replacement’. Network tokens are in the same format as a regular PAN, so can be accepted and routed along the normal payment rails without impacting the existing merchant systems.

5.Enabling value-added services

Hampered innovation is one of the hidden costs of fraud. Merchants want to spend their time, effort and resource on better consumer experiences, not tackling fraud.

It is true that security tokens can be effective in specific scenarios. Network tokenization offers more than just security, however, and can also be utilized to enhance the buying experience.

Digital card art to increase brand recognition, the ability to instantly refresh card details, push provisioning to enable consumers to keep track of where and when their payment credentials are being used. All these features complement the security proposition to increase convenience and reduce friction.

Network tokenization versus security tokenization?

Although often referenced interchangeably, it is apparent that security tokenization and payment tokenization solutions (such as network tokenization) are very different propositions. Both are effective solutions for their defined purposes, but we should look to network tokenization as a foundational technology enabling secure, simple digital commerce through end-to-end security, global interoperability across different acceptance environments and value-added services.

Latest blogs

Christian Wiens Getsafe

Why Challenger Insurers Are Doing Better Than Challenger Banks During the Coronavirus Crisis?

The 2009/10 financial crisis hit insurers much less than banks. Challenger banks such as Monzo, Revolut, Starling Bank and N26 took advantage of the increasing scepticism and dissatisfaction of customers. With their promise of "no bullshit banking" Read more »

Sponsored Post

How to Earn on Cryptocurrency?

In 2010 one developer from the USA made a very unprofitable deal. This guy changed 10,000 Bitcoins to one pizza. Imagine how much money he would have today if he didn’t make this deal! And this is, as I think, the best example of a bad Read more »

Mike Kiersey Boomi

Businesses looking at M&A post-Covid-19 need to keep integration in mind

At a time when M&A has the potential to become increasingly strategic, a clear post-merger integration plan becomes vital to maintain business-critical applications, IT systems and data. Both companies involved need to understand the importance Read more »

Doug Brown NCR Digital Banking

Self-Service Banking Has a Defining Moment With COVID-19

Consumers and businesses around the world have increasingly shifted to digital self-service banking due to convenience. The ability to access money and banking services anywhere and anytime has proven essential. For banks and financial institutions Read more »

Joseph Cordahi NeoXam

Covid-19: why volatility stress-testing must extend beyond the banks

Stress-testing has become a common tool of regulators and central banks to assess the readiness of banks to deal with sudden volatility in global markets. With Wall Street suffering its worst day since the 1980’s in March, and Covid-driven Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel