Network Tokens 101: Webinar Q&A

During our Network Tokens webinar (watch it here!), we had some great audience questions pop up during the presentation. We thought it'd be helpful to share these publicly, so we've compiled a list of 10 questions and our answers below. We also have a deep dive on what Network Tokens are and how they work, if you're curious to learn more.

At what size annual GMV would a network token make sense?

Typically, network tokens will lead to a 1-2% topline improvement in payment volume. The total GMV where network tokens makes sense is then a question of the gross margins on that GMV. For a product with 50%+ gross margins, then $25m in GMV would be enough to justify material investment. If margins are lower, then GMV might need to be slightly higher to improve the payback period. For marketplace products, $50-$100m in GMV is generally a good starting point.

Just confirming my understanding: If a merchant is integrated for network tokens and wants to process via a PSP, the merchant would first retrieve the token cryptogram themselves, then submit both the TPAN + cryptogram to the PSP's API?

Yes! The card would be tokenized in advance, and a cryptogram will be generated in real time for each transaction by the merchant (or the PSP). However, many PSPs will choose to handle this automatically for their clients.

A new token is generated every time a user saves card details. So some users have different tokens on different merchants. However, PAR is the same for that specific card of that user. How do I assure that the PAR matches with user details like name and telephone number?

Usually the major card networks don't verify account name, telephone number, etc. in the standard authorization process whether Network Tokens or raw PANs are utilised. Visa do offer an Account Name Inquiry service that can add a layer of security, but its usage is pretty limited so far. Many companies will simply perform a zero-value authentication to verify that the address and names match a particular card.

If a customer cancels their card, will the network token follow them if they are committed to a subscription?

For a token representing a card that is cancelled, you would receive a notification that the account is closed. At that point you could proactively reach out to the customer to request/prompt them to update their details.

What types of frauds are reduced using NT? For example, stolen cards or account takeover?

Primarily the scope of fraud is reduced given that a token is specific to the merchant. If a merchant were to leak non-tokenized card details, the scope of fraud is broadened to virtually any ecommerce platform. Fraud scope related to a leaked network token is generally limited only to that merchant, and stolen network tokens can not easily be used for third-party fraudulent payments.

For NTs to work, we need all the players in the ecosystem onboard. I would like to know the current adoption status in the ecosystem. How many issuers, PSPs, PGs, and acquirers support NTs?

The figures here are somewhat geography-specific. In regions like the US, EU and UK issuer support is generally 90%+ — so you’ll be able to use network tokens for most cards (but you’ll always need to fall back to PAN in certain scenarios). In other emerging markets, issuer support can be much lower (e.g. ~40% in LatAm and Africa). In India, network tokens are mandated so support is close to 100% from issuers.

The acquiring side is a little bit more tricky. Since October 2018, all acquiring principal members of Visa have been mandated to consume/accept network tokens for payments. That being said, the functionality hasn’t yet been fully passed up the chain to PSPs and payment gateways. Most of the larger PSPs support bring-your-own network tokens, including Adyen, Checkout.com, Stripe and Braintree.

Is token expiry related to card expiry? Can tokens expire before card expiry especially in case of lost card? Do PSPs provide APIs to fetch token expiry?

Tokens will usually expire before the card. Updates are usually automated by Card Account Lifecycle Management (CALM) via webhook when a token is expired, cancelled or otherwise updated. These services are often provided either directly by PSPs, or by independent Network Token Service Providers.

Is there a BIN list for Network tokens?

You might be interested in Evervault's BIN Lookup API which supports and provides insight for Network Tokens (see here). You’ll find lists of BINs online, but many are stale and incomplete snapshots, and not programmatically available. We also add some data enrichments for extra insights.

Is the Network Token cost calculated per card that has a network token issued for it? Or is the cost calculated for each transaction using a network token?

Generally speaking, most Token Service Providers charge to create a network token (i.e. initially converting the PAN to a network token) and for generating a cryptogram (i.e. every time a customer-initiated transaction takes place). So in practice, there’s a (small) cost for both events — creating, and processing.

If we have a PSP that we iframe the checkout for (meaning we do not store card details or have PCI responsibilities) plus a PMU, is tokenisation still going to add value?

Network tokenization will incrementally improve authorization rates by 2.1% on average compared to a baseline of raw PAN transactions, so if you’re not using them then yes, they would definitely add value. If you just use one PSP, it might be a case of simply asking them to enable it on your behalf. The problem arises when you use multiple PSPs and need to maintain separate tokens across each gateway. For that use case we’d definitely recommend using a standalone Token Service Provider like Evervault.

Hope we were able to give some more clarity on Network Tokens. If you’d like to learn how to integrate Network Tokens into your product, check out our website below!