What Is Network Tokenization?
Network tokenization replaces a card PAN with a scheme-issued token (Visa Token Service, Mastercard MDES) that is cryptographically bound to a specific merchant or device. This reduces card-not-present fraud and enables automatic card updates without requiring customers to re-enter their details.
Network Tokenization: Definition
Network tokenization is the process by which a card network (Visa, Mastercard, Amex) replaces a cardholder's Primary Account Number (PAN) with a scheme-issued network token. Unlike vault tokens, network tokens are domain-restricted, cryptographically protected with a dynamic cryptogram per transaction, and automatically updated when the underlying card is reissued or renewed.
Fraud Reduction
Network tokens are bound to a specific merchant domain. A compromised token cannot be replayed at another merchant. Each transaction requires a dynamic cryptogram that cannot be reused.
Automatic Card Updates
When a card is reissued, renewed or replaced, the card scheme updates the network token automatically. Subscription businesses see fewer payment failures without customers needing to update their card details.
Domain Restriction
A network token is issued for a specific merchant, device or channel. It carries no value outside its intended domain, dramatically reducing the risk of large-scale data breaches.
Network Token vs Vault Token
Network Token (Scheme-issued)
Visa VTS / Mastercard MDES / Amex- Issued by the card scheme
- Domain-restricted (merchant / device)
- Dynamic cryptogram per transaction
- Auto-updated on card renewal
- Requires scheme enrolment
- Cannot be used at other merchants
Vault Token (PCI Proxy)
Merchant / Processor level- Issued by PCI DSS Level 1 vault
- Processor-agnostic
- Works with any acquirer or PSP
- No scheme enrolment required
- Enables multi-acquirer routing
- Supports network token lifecycle management
Network Tokenization Questions Answered
01 What is network tokenization?
Network tokenization is a process where a card scheme (Visa, Mastercard, Amex) replaces a cardholder's PAN with a scheme-issued token. The token is cryptographically bound to a specific merchant or device domain, reducing card-not-present fraud and enabling automatic credential updates when a card is reissued.
02 What is the difference between a network token and a vault token?
A network token is issued by the card scheme and operates at the network level, bound to a specific merchant, device or channel. A vault token is issued by a PCI DSS Level 1 vault and operates at the merchant or processor level as a reference to the raw PAN. Vault tokens are processor-agnostic and reusable across any acquirer.
03 What are Visa Token Service (VTS) and Mastercard MDES?
Visa Token Service (VTS) and Mastercard Digital Enablement Service (MDES) are the card-scheme platforms that issue and manage network tokens. Merchants or technology partners enrol in these programmes to receive scheme-issued tokens in place of raw PANs, gaining fraud reduction and automatic card update benefits.
04 How does network tokenization reduce fraud?
Network tokens are cryptographically bound to a specific merchant domain and expire or can be revoked without affecting the underlying card. Each transaction also includes a dynamic cryptogram, making replay attacks impossible even if a token is intercepted.
05 How does PCI Proxy support network tokenization?
PCI Proxy stores the raw PAN in a secure EU vault and can request network tokens from Visa Token Service or Mastercard MDES on your behalf. You receive a vault token as your system reference while PCI Proxy manages the underlying network token lifecycle, including automatic card updates and cryptogram generation.
Enable Network Tokenization With PCI Proxy
PCI Proxy manages the full network token lifecycle from our EU PCI DSS Level 1 vault, so you benefit from scheme-level fraud protection without touching raw PANs.