Network tokenization versus PCI tokenization: five key differences
June 11, 2019
Andre Stoorvogel, Director, Product Marketing, Rambus Payments
The concept of tokenization is not a new one in the payments industry. Solutions that replace sensitive data with a non-sensitive equivalent have been around for years in various forms.
But as the digital payments ecosystem continues to expand, it is becoming increasingly apparent that ‘payment tokenization’ solutions, such as network tokenization, can address the urgent need for increased security and reduced complexity, while promoting enhanced consumer experiences.
A short history of tokenization in the payments industry
Tokenization solutions can be broadly divided into two categories: security tokenization and payment tokenization.
Security tokenization (also known as acquirer tokenization or non-payment tokenization) approaches have traditionally been used to protect cardholder data and personally identifiable information (PII) stored in merchant databases. This is needed to enable popular consumer payment methods such as recurring billing and one-click ordering.
In comparison, PCI tokens are security tokens that comply with PCI guidelines to meet PCI DSS standards.
The publication of EMVCo’s EMV®* Payment Tokenization Specification – Technical Framework in 2014 marked the introduction of ‘payment tokenization’ to the ecosystem, and was followed by an update in 2017. The aim? To enhance the underlying security of digital payments by replacing primary account numbers (PANs) with unique EMV payment tokens. Network tokenization is a type of payment tokenization where the payment network plays the role of the token service provider (TSP) to generate tokens.
Although EMV payment tokenization found immediate success in securing in-store mobile contactless payments, Consult Hyperion predicts that it is online payments that will deliver ‘the real volume’. The question is, what differentiates network tokenization from security tokenization?
Delivering end-to-end security
Proprietary security tokens are designed to protect sensitive information when it is ‘at rest’ within a merchant’s database after a transaction has been completed, reducing the risk and impact of a data breach.
The problem is, sensitive data is vulnerable throughout the entire payment processing chain. Not just at rest.
Neither proprietary or PCI tokens protect the consumer data while in transit or in use, introducing opportunities for fraudsters to hijack data through phishing attacks, malware and more. The rapid growth in card-not-present (CNP) fraud, despite ever-increasing investment in fraud protection, demonstrates a more fundamental, holistic approach to payment security is needed.
Below are three ways in which network tokenization can help meet those needs:
- Securing data in transit – The main benefit of network tokenization is that card details are protected throughout the entire transaction lifecycle.
- Domain controls – Network tokens can be restricted in their usage, for example, to a specific device, merchant, transaction type or channel. With the proliferation of new payment methods, such as online, IoT and voice, the ability to limit and control how network tokens can be used is key to preventing cross-channel fraud.
- Reducing false declines – Since network tokenization protects card details throughout the entire transition lifecycle, issuers treat network tokenized payments as inherently more secure than non-network tokens. This can deliver numerous benefits downstream and address key pain points for merchants, by limiting fraud prevention spend, increasing approval rates and reducing false declines.
This trio of benefits are not the beginning, middle and end, however… there’s more.
- Bridging the interoperability gap
As well as escalating security challenges, merchants must also deal with spiralling complexity.
Security tokens are limited to specific relationships, such as between a single acquirer and merchant. As the digital payments ecosystem expands, the burden of managing different proprietary tokens from multiple acquirers, payment service providers (PSPs) and gateways will become increasingly challenging.
The good news is that network tokens are globally interoperable across multiple acquirers and gateways. With the growth of omnichannel retail, consistency across different acceptance environments is a significant value-add.
We must also consider the backend impact. Security tokens are not formatted as routable PANs, so cannot be accepted as a like-for-like ‘replacement’. Network tokens are in the same format as a regular PAN, so can be accepted and routed along the normal payment rails without impacting the existing merchant systems.
- Enabling value-added services
Hampered innovation is one of the hidden costs of fraud. Merchants want to spend their time, effort and resource on better consumer experiences, not tackling fraud.
It is true that security tokens can be effective in specific scenarios. Network tokenization offers more than just security, however, and can also be utilized to enhance the buying experience.
Digital card art to increase brand recognition, the ability to instantly refresh card details, push provisioning to enable consumers to keep track of where and when their payment credentials are being used. All these features complement the security proposition to increase convenience and reduce friction.
Network tokenization versus security tokenization?
Although often referenced interchangeably, it is apparent that security tokenization and payment tokenization solutions (such as network tokenization) are very different propositions. Both are effective solutions for their defined purposes, but we should look to network tokenization as a foundational technology enabling secure, simple digital commerce through end-to-end security, global interoperability across different acceptance environments and value-added services.
For more information on network tokenization, visit the Rambus Payments Resource Library.
* EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo, LLC.
Categorised in: Blog