Tokenisation in Payments: Network tokens vs PSP tokens

The payment landscape has evolved significantly over the years, with security, convenience, and user experience becoming the primary focus for both businesses and consumers. Tokenization, once a niche topic, has now become one of the cornerstones of secure digital transactions. But what exactly is tokenization, and how does it impact the payments ecosystem?

The Origins of Tokenization in Payments

Tokenization emerged as a security solution to mitigate the risks associated with storing and transmitting sensitive payment data. Historically, merchants and payment service providers (PSPs) would store credit card numbers (PANs or Primary Account Numbers) in their databases, making them prime targets for hackers. Data breaches, particularly of payment card data, were rampant and costly. To counter this, tokenization was developed to replace sensitive card data with a non-sensitive equivalent – a “token” that cannot be used outside of its designated environment.

This practice started gaining prominence in the early 2010s, particularly with the rise of mobile wallets and the increased adoption of EMV (chip-based cards), pushing the industry toward more secure digital payment methods.

What Are Tokens and How Do They Work?

At its core, tokenization replaces a sensitive piece of information, such as a credit card number, with a non-sensitive surrogate value. This “token” is a unique set of characters that carries no inherent value and is only useful within a particular transaction or merchant environment. If a hacker were to intercept this token, it would be meaningless outside its context, providing an extra layer of security.

Tokens come in different forms, serving various purposes within the payments ecosystem. The most common ones are:

• PSP Tokens: These are tokens generated by Payment Service Providers (PSPs) that replace sensitive card information during transactions, primarily for merchants. PSP tokens are merchant-specific, meaning that even if they are intercepted, they cannot be used outside of the merchant’s ecosystem.
• Network Tokens: Payment networks like Visa and Mastercard offer network tokens that replace a PAN with a token at the network level. These tokens can be more universally recognized across merchants and PSPs, enabling more flexibility, especially in recurring transactions and subscription models.
• Device Tokens: When using a digital wallet, such as Apple Pay or Google Pay, each card you add gets its own Device PAN (DPAN) that is specific to that device. This DPAN is what’s used during transactions rather than the original PAN (often referred to as the Funding PAN or FPAN).

MPANs vs DPANs in Digital Wallets

Digital wallets have become a popular means of conducting secure, contactless payments. The use of tokenization in these wallets is critical to their security architecture.

• FPAN (Funding Primary Account Number): The original card number linked to a user’s account.
• MPAN (Merchant Primary Account Number): This term isn’t as widely used, but it refers to the token issued by the payment network to merchants. MPANs can be seen as part of the broader tokenization ecosystem, where the merchant interacts with a specific token rather than a PAN.
• DPAN (Device Primary Account Number): This is a token specifically assigned to a device, such as a smartphone, when a card is loaded onto a mobile wallet. The DPAN is used for transactions, keeping the original FPAN secure.

In practice, when you add a credit card to Apple Pay or Google Pay, the wallet generates a DPAN for that card. This DPAN is used in transactions instead of the actual card number (FPAN), ensuring the safety of your real payment credentials.

Token Sharing and Interoperability

One area of interest in tokenization is the concept of token sharing. This allows a token to be shared across different merchants or platforms, improving convenience for customers without sacrificing security. Network tokens, in particular, are designed for such use cases. For instance, a token generated for a card on a PSP’s platform could, in theory, be used across multiple channels or even across multiple merchants, as long as the underlying network (Visa, Mastercard, etc.) manages the token.

This capability is especially useful in subscription models, where a customer may want to use the same card across various platforms without entering their details repeatedly.

How Are Tokens Used for Subscriptions?

Subscriptions and recurring payments benefit tremendously from tokenization. In the traditional model, merchants would store PANs for ongoing charges, making their databases potential goldmines for hackers. With tokenization, instead of storing the PAN, merchants store the token generated by their PSP or payment network.

If a customer’s card is reissued due to expiration or fraud, the tokenized setup ensures continuity. This is where account updater services come into play.

Account Updater Services and Tokens

An Account Updater is a service provided by payment networks that automatically updates card details (such as expiration dates or reissued cards) for merchants who have stored tokens or card information for recurring billing. When a card is replaced, the network automatically updates the merchant’s token database with the new card details, so subscriptions continue seamlessly without customer intervention.

Account updater services and tokenization work hand-in-hand to ensure that recurring payments remain smooth and uninterrupted, even as card details change in the background.

Use Cases Where Tokens Can’t Be Used

While tokenization has dramatically improved security and convenience in payments, it isn’t suitable for every scenario. Some situations where tokens may not be applicable include:

• One-time, non-digital payments: For example, cash transactions or in-person payments that don’t involve digital infrastructure.
• Cross-border or multi-currency transactions: Some regions or smaller payment networks may not yet fully support tokenization, making its implementation more complex.
• Niche payment methods: Payment systems such as cryptocurrencies, gift cards, or closed-loop store credit may operate independently of traditional card networks and might not utilize tokenization.

TL;DR

Tokenization has revolutionized the way payments are secured, replacing sensitive payment information with tokens that are meaningless outside their intended use. PSP tokens, MPANs, and DPANs in wallets like Apple Pay and Google Pay allow for seamless, secure transactions. Network tokens and potential token sharing enable more flexible recurring payments. Tokenization also plays a key role in subscription management, aided by account updater services, which ensure that updated card details don’t interrupt recurring charges. However, tokenization isn’t applicable in every payment scenario, such as non-digital transactions or certain niche payment methods.