The term "tokenization" covers two distinct technologies that operate at different levels of the payment chain. Network tokenization is managed by Visa and Mastercard and replaces the PAN at the authorised transaction level. Payment tokenization is managed by the merchant or their provider and serves to avoid storing the real PAN in their own systems. Understanding where one ends and the other begins is essential to building a secure and flexible payment architecture.
Network tokenization: what Visa and Mastercard do
The Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) replace the physical PAN of a card with a network token (also called DPAN, Device PAN) linked to a specific device, channel or merchant. This token travels in authorisation messages in place of the real PAN: the acquirer receives it, transmits it to the network, and the network converts it back internally to the PAN before sending it to the issuer. The merchant and acquirer never see the original PAN.
Network tokens improve authorisation rates because the networks automatically update them when a card is renewed or reissued, without the merchant needing to update their own records. They are bound to a specific context (device, merchant, channel) and cannot be reused outside that context: if intercepted, they are unusable. Adoption of network tokenization is particularly advantageous for recurring payments and subscriptions, where it reduces churn caused by expiries and blocks.
Payment tokenization: the merchant or provider vault
Payment tokenization operates at a different level: it replaces the PAN in the merchant's records with a proprietary token stored in a secure vault. The vault maps each token to the real PAN and releases the PAN only at the point of authorisation, towards the authorised PSP. This approach removes the PAN from the merchant's infrastructure and drastically reduces the PCI perimeter: systems that see only tokens do not fall within the CDE.
Unlike network tokens, vault tokens are processor-agnostic: the same token can be used to authorise with different PSPs, provided the vault is reachable. This eliminates the vendor lock-in typical of those who store PANs directly with their gateway. With PCI Proxy EU the vault is PCI DSS Level 1 certified and tokens are portable: the merchant can change PSP without losing existing customers' card data.
When to use each, and why you often need both
Network tokenization protects the transaction in transit, but does not solve the problem of PAN storage for future payments. If the merchant needs to retain a card reference for subscriptions, one-click purchases or pre-authorisations, they still need a secure storage system. In this scenario the two technologies complement each other: network tokenization improves the security of live transactions, payment tokenization solves the storage problem.
For many European merchants, the priority is first to solve the PCI scope problem with robust payment tokenization, and then to optimise conversion rates with network tokenization. PCI Proxy EU sits at the first level: it provides the vault for secure PAN storage with portable tokens, and integrates without conflict with network tokenization solutions activated by the PSP or acquirer.
Frequently asked questions
Does network tokenization replace payment tokenization?
No, they operate at different levels. Network tokenization protects the transaction in the authorisation flow between merchant, acquirer and network. Payment tokenization solves the problem of secure PAN storage in the merchant's infrastructure. A merchant using only network tokenization still has the PAN on file, with all the PCI obligations that entails.
Are Visa and Mastercard tokens portable between PSPs?
No, network tokens are bound to a specific context: merchant, device and channel. They are not portable between PSPs. If a merchant changes acquirer or gateway, previously issued network tokens are not reusable and must be regenerated. This does not apply to vault tokens from a provider like PCI Proxy EU, which are independent of the PSP.
Is PCI Proxy EU compatible with network tokenization?
Yes. PCI Proxy EU manages secure PAN storage and its replacement with vault tokens. When the merchant makes an authorisation, it can pass the PAN to the PSP which, if it supports Visa Token Service or MDES, converts it into a network token for the transaction. The two layers integrate without conflict.
Network-independent tokens, portable between PSPs: that is what PCI Proxy EU offers. Discover PCI Proxy EU.