What is Network Tokenization for Recurring Charges?

It’s been a long time since the invention of payment options other than handing over cash in exchange for goods and services, and that means there has been a ton of development and evolution in the systems underpinning those payment options.

When virtually everyone uses some form of digital payment system, and with tens of millions of dollars of transactions processed every minute, there are a lot of technical and technological concerns that need to be ironed out. Even the tiniest blip can have cascading ripple effects across the whole of the economy.

One of the biggest concerns is safeguarding the sensitive personal information of the customers shopping using digital payment methods and digital storefronts. Whether it’s customer name and address information, their credit card or bank information, or other information related to the transaction, it all needs to be protected.

But, you can’t just obfuscate and heavily encrypt the information and call it good. Even a tiny delay involved in encrypting and decrypting that information would have knock-on effects across billions of transactions.

The solution he payment processors have hit upon, at least for now, is network tokenization. How does tokenization work, how is it more secure, and how does it work for recurring charges? Let’s run down everything you need to know as a merchant.

The Development of Network Tokenization

Say you’re a merchant and you’re accepting a payment from a customer using a credit card. The customer has to provide you with their personal information and their card information, and you have to forward that information through the related banks and payment processors to validate it, ensure the money exists, and process the transaction.

Handing that information over in plaintext would be awful. Anyone with the ability to inject themselves in the middle, or to compromise one of the steps along the way, could easily steal the data.

Using SSL, TLS, and other encryption is standard for a lot of traffic these days, but it’s also kind of not enough for payment and personal information. The information is still there, so if the encryption is cracked or broken, or the stops along the way are compromised, it’s once again a loss.

The first improvement on this was PCI tokenization. PCI tokenization replaces part of the information with a token. Specifically, it replaces the part of the information you as the merchant collect and hand off with a token.

This is a great step for security, since merchants are by far the biggest threat surface for attacks. There are only a small handful of banks, credit unions, card networks, and acquirers and issuers; meanwhile, there are thousands upon thousands of merchants. Where a company like Visa can invest billions in security, a small retail outlet set up on a mostly-free website doesn’t have those kinds of resources.

With PCI tokenization, the customer puts information into the payment portal, which could be a payment app, or a POS system. That system uses an algorithm to take that information and generate a token, and gives you the token instead of the information. You then forward that token to your acquiring bank.

At this point, the bank can re-convert the token into the actual information. Since the banks are generally more secure than merchants, the greatest security risk has been removed. The acquirer sends the payment information to the card network, which forwards it to the issuing bank, and the transaction is completed.

Network tokenization takes this one step further. Instead of converting the token back into information in the banks, only the token is ever used. This way, no matter where the information is throughout the ecosystem, if it’s compromised, all an attacker receives is an otherwise-useless token.

What Are the Benefits of Network Tokens?

Network tokenization is a huge boon for security, but that’s not all.

Critically, a network token is only valid for one combination of device, merchant, and transaction. Even if it was possible to steal the tokens, it’s not possible to reuse them for fraudulent payments, since a given token can only be used for the purpose it was generated.

Keep this in mind, it will be relevant for recurring payments later.

Another huge benefit is that tokens allow for a reduction in interchange fees. When you accept a transaction and send it through the payment processor and to the issuing bank, all of the banks along the way have to process and handle that information, and they aren’t going to do that for free. Interchange fees exist to compensate the banks for the work they do in processing transactions for you, and they can add up.

Broadly speaking, the greater the risk represented by a transaction, the higher the interchange fees are going to be. That’s part of why banks charge high-risk merchants more for processing transactions. You can see the variation as well in different kinds of transactions; card present are cheaper than card not present, due to the difference in risk.

Because tokenization directly lowers risk, it results in lower interchange fees for the merchant.

Another huge benefit is that tokenization allows a validated payment to update and be processed even if the card underpinning it is blocked. For example, imagine if a customer is making a purchase on the last day of a month, and that happens to be the expiration date of their card. It’s valid when they put in the payment, but by the time it’s processed, the day ticks over and the card expires. A normally-processed transaction would fail, but a tokenized transaction would automatically update and pass.

Similarly, if a customer makes a purchase but, in between the purchase and the processing of the transaction, their card is frozen or cancelled due to fraud and a new card issued to them, a normal transaction using the old card information would fail. A tokenized transaction could still be processed.

All of this results in fewer false declines and fewer fraudulent transactions, improving the overall experience for customers, merchants, and banks.

Many of the modern saved payment systems, like Apple Pay, Google Pay, Amazon Pay, and similar, are all tokenized systems, which is also very convenient for users of those systems. These days, Visa and Mastercard are also offering network tokenization systems as well.

How Network Tokenization Benefits Recurring Payments

If you’re a merchant with a subscription service or recurring payments system for your products, you know how much friction it can cause. Any time a card expires, is cancelled, or is questioned, recurring payments can fail. Failed payments cost you subscribers, hurting retention and long-term operations.

This is a huge boon for card information security. Previously, your subscription-based business would need to retain customer card information and other personal information so that each month (or whatever your billing cycle is) you can submit the next charge.

That makes subscription-based businesses particularly juicy targets for cyberattacks. Where other businesses can use and discard payment information so there’s nothing to be stolen, you would have to retain information, and that’s a big payday for thieves.

If you use network tokens instead, all you do is store a token. The token is valid only for your subscription service, so even if hackers were to breach your systems and steal them, they’re valueless. They don’t interrupt your services, they don’t put customer information at risk, and they don’t cause problems in unauthorized hands.

Any business can make use of network tokenization, but subscription-based services can find particular benefit in using it.

Are There Drawbacks to Network Tokenization?

If network tokenization is so useful and so powerful, why isn’t it the default? Why even have a choice not to use it? Are there any drawbacks to using it?

One drawback is something I mentioned all the way at the top, relating to encryption: there is a slight delay in processing a transaction, relating to generating the token. This latency can be eliminated, especially for repeat customers, but it a minor pain to some businesses.

A second drawback is that tokenization isn’t broadly adopted yet. Some regions have lower adoption of tokenization than others, and in sparsely-tokenized areas, it can be harder to set it up effectively. It’s still beneficial when it’s up and running, but the barrier to entry is a little higher.

For now, tokenization can also be somewhat complex to implement if you don’t already use a system that can utilize it, which is why the intermediary tokenization providers exist (more on them in a moment). This added third party, plus an added fee, can be a tough sell.

Overall, the truth is that tokenization is coming, and the more it’s implemented, the faster the ball rolls towards a completely secure payment paradigm. There’s just a lot of inertia and fear of change in getting it going.

How to Set Up Network Tokenization for Your Business

If you’ve decided that setting up network tokenization is a good idea for your business (and you should, it’s a good idea for pretty much every business), the next step is to implement it.

This is where things start to get a little tricky, though, because you need to follow steps according to whoever your payment gateway is. If you’re using Visa or Mastercard, for example, you’ll need to talk to your account representative to make sure tokenization is enabled for the transactions you process.

An alternative is to partner with a tokenization provider. Providers like Spreedly, Primer, and NMI (as well as others) sit between your payment system and all of the various processors and providers who need to deal with tokens. They handle the work of converting information into tokens, no matter which network is being used.

A bonus to using a tokenization provider is that the tokens they generate can be agnostic and work regardless of the payment processor, which means you don’t have to change your payment processor even if that processor doesn’t support the tokens you want to use.

Why You Should Implement Tokenization

Why should you (yes, you, the merchant reading this) implement network tokenization for your payments?

After all, if what you have going right now works just fine, why make a change, potentially involving a third-party company like a tokenization provider?

• Greater security for transactions. When you don’t have to touch customer sensitive information, it’s not at risk throughout the payment process, and your customers can shop secure in knowing their cards will be safe with you (since they aren’t with you at all.)
• Lower fees for transactions. While there are fees associated with working with a tokenization provider, the reduction in interchange fees is more than enough to compensate for it in most cases.
• Higher retention for subscription-based and recurring fee businesses. Transactions that fail due to card issues are a huge source of loss for businesses that rely on retention, since the friction of re-upping something the customer may be on the fence about can be killer. Tokenization eliminates this loss.

You can also reduce the incidence of fraud and chargebacks, both for yourself and for others, since you remove yourself from the pool of potential targets for compromising information. The more people use tokenization, the harder it becomes to steal credit card information at all, and thus the harder it is to commit fraud with it.

On top of that, many tokenization providers offer platforms that include additional anti-fraud tools to detect and proactively prevent fraudulent transactions. Combined with the Fight Disputes alerts system to detect and preemptively address potential disputes, you can nearly eliminate chargebacks entirely.