Last year, Visa announced that it had issued its 10 billionth token and that tokenized payments had prevented $650 million of fraud in 20231. Visa1 and Mastercard2 have also stated that approximately 30% of all their payment transactions are processed utilizing network tokens. Given that network tokens have only been around for about a decade, those are impressive numbers. But what is it about network tokens that give them their superpower to stop fraud? After all, in the case of network tokens, the token is just another number representing a customer’s credit or debit account. What makes these numbers so much more secure than the numbers that make up the primary account number (PAN) of the payment card? In the typical context, tokens are often referred to as a non-sensitive representation of something of value, such as the PAN in the case of network tokens. But wait, you may be thinking, “if I can make a payment transaction with a network token, that sounds pretty sensitive to me.” Before drawing any conclusions about network tokens, maybe we should first consider what a network token is not. It is not a security token.
Security tokens (also known as acquirer or merchant tokens) have literally no value, and that, ironically, is their value. Security tokens generated in a token vault cannot be reverse-engineered to obtain the underlying PAN. These tokens are also “non-transactable” and must be converted to the underlying PAN (or network token) to be used in a payment transaction. If a bad actor steals a bunch of security tokens, they are now the proud owner of a lot of random numbers…and maybe some letters, too. Now, that sounds non-sensitive to me! So, I guess security tokens actually do have a lot of value. However, if a security token derives its value from being a random, non-transactable data element, what about network tokens?
The fundamental question is if network tokens can be used for payment transactions, then what actually makes them secure? Certainly, network tokens are just as susceptible to data compromises as PANs are, so why can’t the bad guys just grab some network tokens and start running fraudulent token transactions? Well, it turns out that network tokens don’t come to the party alone. Enter token domain restriction controls and token cryptograms. These are two unique features of network tokens that help provide security for the token and the transaction the token is used in. Token domain restriction controls constrain the use of a network token for specific purposes. For instance, when a network token is issued to a mobile device, the use of that token is restricted to the “domain” of that device. In other words, the token can only be used with that specific device. Attempting to use the token in another domain (or context) will violate the restriction controls, and the token validation will fail. Likewise, a network token issued to a particular merchant for card-on-file use on their eCommerce site can only be used for transactions on that specific site. Depending on the use case, different data elements make up the “token control fields” used to apply the domain restrictions to a given transaction. The token control fields can include the POS Entry Mode, the Merchant Identifier, the Original Transaction Reference, and, notably, the Token Cryptogram, among other fields.
The token cryptogram is unique among the token control fields, as the other fields are also available for PAN-based transactions. Only the token cryptogram is specific to token transactions, but it is similar to the EMV® chip and contactless cryptogram in purpose. The token cryptogram is generally generated using some combination of the network token, token-related data, and transaction data. During processing, the cryptogram is validated to ensure the data in the transaction has not been altered. In addition, the cryptogram is only valid for a single transaction to prevent a bad actor from replaying the token-related transaction data in another transaction. By appropriately employing domain restriction controls and token cryptograms, network token payment transactions can be processed securely.
However, that is not to say network tokens are completely impervious to fraud. Token provisioning fraud, for instance, has emerged as a vexing threat vector. Token provisioning fraud uses some combination of compromised card data, social engineering and phishing attacks to provision stolen card credentials to a digital wallet, which creates a network token in the process. The token in the digital wallet is then used for fraudulent transactions until discovered by the consumer or their issuer. According to Visa, token provisioning fraud cost $450 million in lost revenue in 20223.
So, what are network tokens good for? Well, from a security perspective, network token transactions are certainly more secure than PAN-based transactions, thanks to their domain restrictions and cryptograms. And, because they are transactable, they have functionality security tokens don’t support. While not a silver bullet against all types of attacks, network tokens provide another valuable layer of defense in the never-ending battle against fraud.
The MAG is actively driving progress in the tokenization space through resources like the Advancing Tokenization Strategies microlearning course and the recently released MAG Tokenization Reference Guide. For more information on tokens and tokenization be sure to check out both now available on the MAG Learning Center.
- https://usa.visa.com/about-visa/newsroom/press-releases.releaseId.20701.html
- https://s25.q4cdn.com/479285134/files/doc_financials/2024/q4/MA-12-31-2024-10-K-as-filed-with-exhibits.pdf
- https://www.businesswire.com/news/home/20231213594921/en/Visa-Provisioning-Intelligence-Launches-to-Combat-Token-Fraud