Payment Tokenization: The Complete Guide to Network Tokens, Gateway Tokens, and PCI Compliance
Every time a card number is stored, transmitted, or processed, it creates risk. Payment tokenization replaces sensitive card data with non-sensitive substitutes—tokens—that are useless to attackers but fully functional within the payment ecosystem. It is the single most important technology shift in card payments since EMV chip adoption.
The numbers tell the story. The global payments industry processed 283 billion tokenized transactions in 2025, and that figure is projected to reach 574 billion by 2029. Visa reports a 4.6% global authorization rate lift for tokenized card-not-present transactions compared to raw card numbers, alongside a 26% average decline in fraud rates. These are not marginal improvements—they are structural advantages that compound across every transaction a business processes.
Yet most guides on payment tokenization cover only the basics: what a token is, and why it matters for PCI compliance. They rarely explain the critical differences between gateway tokens and network tokens, the mechanics of how network tokens interact with issuers and card schemes, or how to build a quantified business case for migration. This guide fills those gaps. It is written for payment professionals, product managers, and technical leaders who need to understand tokenization deeply—not just conceptually.
What Is Payment Tokenization?
Payment tokenization is the process of replacing a primary account number (PAN)—the 16-digit number on the front of a payment card—with a surrogate value called a token. The token maintains the format of a card number (it looks like a PAN) but carries no intrinsic value. If intercepted, it cannot be used to initiate a payment, reverse-engineer the original card number, or commit fraud.
The original PAN is stored securely in a token vault—a hardened, PCI-compliant database managed by either the payment processor, the card network, or a dedicated tokenization service provider. When a transaction needs to be processed, the token is submitted in place of the PAN, and the token vault maps it back to the real card number at the appropriate point in the authorization flow.
Where Tokens Are Used
Tokens appear throughout the payment lifecycle:
- Card-on-file storage – Subscription services, e-commerce platforms, and digital wallets store tokens instead of card numbers, eliminating the risk of a data breach exposing raw PANs.
- Transaction processing – Tokens flow through payment gateways and processors, reducing the number of systems that handle sensitive card data.
- Merchant-initiated transactions (MITs) – Recurring billing, installment payments, and unscheduled payments use tokens to charge cards without requiring the customer to re-enter their details.
- Mobile and digital wallets – Apple Pay, Google Pay, and Samsung Pay use network-level tokenization to secure every contactless and in-app transaction.
- Account Funding Transactions (AFTs) – Businesses processing Account Funding Transactions use tokens to securely pull funds from stored cards for money transfers, wallet loads, and prepaid card funding.
The fundamental principle is simple: if a system does not need to see the real card number, it should not. Tokenization enforces this principle at scale.
Three Types of Tokenization: Gateway Tokens, Network Tokens, and Encryption
Not all tokenization is equal. There are three distinct approaches, each with different security properties, authorization benefits, and implementation complexity. Understanding the differences is critical for choosing the right strategy.
1. Gateway / PSP Tokens
Gateway tokens (also called PSP tokens or acquirer tokens) are generated and managed by your payment gateway or payment service provider. When a customer submits their card for the first time, the gateway stores the PAN in its own token vault and returns a proprietary token to the merchant. All subsequent transactions reference this token, and the gateway resolves it internally before sending the real PAN to the card network.
Key characteristics:
- The token is proprietary to the gateway—it only works with that specific provider
- The original PAN is stored in the gateway's vault, not at the network level
- The issuing bank sees the raw PAN during authorization—the token is resolved before the request leaves the gateway
- No cryptogram is generated—the issuer cannot distinguish a tokenized transaction from a non-tokenized one
- If you switch gateways, you must migrate PANs or re-collect card details from customers
2. Network Tokens
Network tokens are issued by the card networks themselves—Visa, Mastercard, American Express—through their Token Service Providers (TSPs). Instead of a proprietary gateway token, the card network generates a Device PAN (DPAN) or Token PAN (TPAN) that is linked to the original card (the Funding PAN or FPAN) within the network's infrastructure. Each transaction also includes a cryptogram—a one-time, transaction-specific security code that the issuer validates during authorization.
Key characteristics:
- The token is issued and managed by the card network, not the gateway
- The issuer knows the transaction is tokenized and can apply higher trust scoring
- A unique cryptogram accompanies each transaction, providing transaction-level authentication
- If the physical card is reissued (new number, new expiry), the network token updates automatically—no customer action required
- Network tokens are portable across gateways and processors
- Qualifying transactions may receive interchange fee reductions
3. Point-to-Point Encryption (P2PE) / End-to-End Encryption
Encryption is not tokenization in the strict sense, but it is often discussed alongside it. Point-to-point encryption (P2PE) encrypts card data at the point of capture (the terminal or browser) and keeps it encrypted until it reaches the decryption endpoint (the processor). The PAN is never exposed in plaintext within the merchant's environment.
Key characteristics:
- Data is encrypted, not replaced—the ciphertext can be decrypted back to the original PAN
- Primarily used for card-present transactions at physical terminals
- Does not generate a reusable token for recurring or card-on-file payments
- Provides strong PCI scope reduction for the encryption boundary, but not for stored data
- Often used in combination with tokenization: P2PE protects the initial capture, and tokenization protects long-term storage
Three-Way Comparison
| Dimension | Gateway / PSP Tokens | Network Tokens | P2PE / Encryption |
|---|---|---|---|
| Who issues it | Payment gateway / PSP | Card network (Visa, Mastercard) | Encryption provider / terminal vendor |
| What it replaces | PAN replaced with proprietary token | PAN replaced with DPAN + cryptogram | PAN encrypted, not replaced |
| Issuer awareness | No—issuer sees raw PAN | Yes—issuer validates token + cryptogram | No—issuer sees decrypted PAN |
| Cryptogram included | No | Yes (unique per transaction) | No |
| Auth rate impact | Neutral—no issuer-side benefit | 2–5% lift (Visa reports 4.6% global average) | Neutral |
| Fraud reduction | Reduces breach risk (no stored PANs) | 26% average decline (Visa data) | Protects data in transit only |
| Card update handling | Requires Account Updater service | Automatic—network pushes updates | Not applicable |
| Portability | Locked to issuing gateway | Portable across gateways | Not applicable |
| Interchange savings | None | Up to 10 bps on qualifying CNP | None |
| PCI scope reduction | Significant—no PAN storage | Significant—no PAN storage | Significant—encrypted boundary |
The takeaway: gateway tokens are a good baseline for PCI scope reduction, but network tokens deliver measurably higher authorization rates, lower fraud, interchange savings, and automatic card lifecycle management. For businesses with significant card-on-file or recurring payment volume, network tokens are the superior choice.
How Network Tokens Work: Step-by-Step
Network tokenization involves a specific set of participants and a well-defined flow. Understanding this flow is essential for anyone evaluating, implementing, or troubleshooting network token integrations.
The Key Participants
- Cardholder – The person who owns the payment card
- Token Requestor (TR) – The entity that requests a token on behalf of the merchant. This can be the merchant directly, the payment gateway, or the payment orchestrator
- Token Service Provider (TSP) – The card network's tokenization platform (Visa Token Service, Mastercard Digital Enablement Service, etc.)
- Issuing Bank – The bank that issued the cardholder's card. The issuer approves or declines the token request
The Token Provisioning Flow
Card Capture
The cardholder enters their card details on a checkout page, in an app, or via a secure form. The FPAN (Funding PAN)—the real card number—is captured.
Token Request
The Token Requestor (typically the payment gateway or orchestrator) sends the FPAN to the card network's Token Service Provider via a secure API. The request includes metadata about the token requestor, the intended use (e-commerce, card-on-file, recurring), and the merchant identity.
Issuer Authorization
The TSP forwards the token request to the issuing bank. The issuer evaluates the request—checking the card status, the token requestor's reputation, and any risk signals—and either approves or declines the tokenization. Some issuers may require additional cardholder verification (a one-time passcode or in-app confirmation).
Token Issuance
Upon approval, the TSP generates a DPAN (Device PAN / Token PAN)—a substitute card number in the same format as a real PAN but drawn from a dedicated token BIN range. The DPAN is returned to the Token Requestor and stored in place of the original FPAN. The mapping between DPAN and FPAN is held exclusively within the card network's token vault.
Transaction with Cryptogram
When a payment is initiated, the Token Requestor submits the DPAN along with a transaction-specific cryptogram generated by the TSP. The cryptogram proves that the transaction originated from a legitimate token requestor and is valid for this specific transaction only. The card network resolves the DPAN back to the FPAN, validates the cryptogram, and forwards the authorization to the issuer.
Issuer Decision
The issuer receives the authorization request with full knowledge that it is a tokenized transaction. The cryptogram validation provides an additional layer of assurance, allowing the issuer to apply more favorable risk scoring. This is the primary mechanism behind the authorization rate lift that network tokens deliver.
The critical difference from gateway tokenization: with network tokens, the issuing bank knows the transaction is tokenized and has validated the cryptogram before making its approval decision. This issuer-side awareness is what drives higher approval rates and lower fraud—benefits that gateway tokens simply cannot provide.
The Business Case for Network Tokenization
Network tokenization delivers measurable financial returns across four dimensions. The following figures are drawn from published card network data and aggregated merchant results.
1. Authorization Rate Improvement
Authorization rates—the percentage of transaction attempts that are approved by the issuing bank—are the single most impactful metric for online merchants. Every declined transaction is a lost sale. Visa reports a 4.6% global authorization rate lift for tokenized card-not-present (CNP) transactions compared to raw PAN submissions. Leading payment platforms report an average 3% authorization rate increase across their merchant base after enabling network tokens.
For a business processing $100 million in annual CNP volume with a 90% baseline approval rate, a 3–5% improvement translates to $3–5 million in recovered revenue from transactions that would otherwise have been declined.
2. Fraud Rate Reduction
Visa data shows a 26% average decline in fraud rates for transactions processed with network tokens compared to raw PANs. The cryptogram mechanism makes it impossible for an attacker to reuse a stolen token—each cryptogram is valid for exactly one transaction and is bound to the specific token requestor.
Lower fraud translates directly to reduced chargeback costs, lower dispute management overhead, and improved standing with card network fraud monitoring programs. For businesses operating in high-risk verticals or high-fraud geographies, the fraud reduction alone can justify the migration.
3. Interchange Fee Savings
Visa offers a 0.10% (10 basis points) interchange reduction on qualifying tokenized CNP transactions. While 10 bps may sound modest, it compounds across transaction volume. For a merchant processing $500 million in annual card-not-present volume, 10 bps represents $500,000 in annual interchange savings.
Mastercard has also introduced favorable interchange treatment for tokenized transactions in select markets. As network tokenization adoption grows, interchange incentives are expected to expand.
4. Reduced Involuntary Churn
For subscription businesses, one of the largest sources of revenue loss is involuntary churn—customers whose recurring payments fail because their card expired, was reissued, or was replaced. Traditional approaches rely on account updater services that batch-check for new card numbers, often with multi-day delays and incomplete coverage.
Network tokens solve this structurally. When a card is reissued, the card network automatically updates the DPAN-to-FPAN mapping in the token vault. The merchant's stored token remains unchanged, and the next recurring charge processes successfully against the new card—without the cardholder lifting a finger. This eliminates a significant portion of payment-related churn and the costly retry-and-recovery flows that subscription businesses build around it.
Combined ROI Summary
| Benefit | Metric | Example Impact ($100M annual CNP) |
|---|---|---|
| Auth rate lift | +2–5% approval rate | $2M–$5M recovered revenue |
| Fraud reduction | 26% decline in fraud rate | Reduced chargebacks & dispute costs |
| Interchange savings | 10 bps on qualifying CNP | $100K annual savings |
| Reduced churn | Automatic card updates | Fewer failed renewals, higher LTV |
PCI Compliance and Scope Reduction
The Payment Card Industry Data Security Standard (PCI DSS) defines the security requirements that any organization handling cardholder data must meet. PCI compliance is not optional—it is mandated by the card networks and enforced through fines, increased audit requirements, and potential loss of card processing privileges.
How Tokenization Reduces PCI Scope
PCI scope is determined by the Cardholder Data Environment (CDE)—every system, network, and process that stores, processes, or transmits cardholder data. The larger the CDE, the more systems must meet PCI requirements, and the more expensive and complex compliance becomes.
Tokenization shrinks the CDE dramatically. When a merchant stores tokens instead of PANs, the systems that handle tokens are outside PCI scope (provided the tokens meet PCI's definition of non-reversible). The only systems that remain in scope are those that handle the initial card capture (before tokenization) and the token vault itself.
In practice, this means:
- Databases storing customer payment credentials hold tokens, not PANs—removing them from the CDE
- Application servers processing transactions handle tokens, not PANs—removing them from the CDE
- Analytics and reporting systems can use tokens for transaction tracking without ever seeing card numbers
- Customer service tools can reference tokens for order lookup and refunds without exposing card data to agents
- Network infrastructure carrying tokenized data does not require the same level of segmentation and monitoring as PAN-carrying networks
PCI DSS 4.0 and Tokenization
PCI DSS 4.0, which became mandatory in March 2025, introduced several changes that make tokenization even more relevant. The updated standard places greater emphasis on risk-based approaches, continuous security monitoring, and encryption of stored PAN data. Requirement 3 (Protect Stored Account Data) specifically addresses how organizations must protect stored PANs—and tokenization is the most straightforward way to meet these requirements.
Under PCI DSS 4.0, organizations that store PANs must implement stronger access controls, more granular logging, and more frequent testing. Organizations that tokenize their card data can avoid most of these obligations entirely, because the tokens they store are not considered account data under the standard. For businesses evaluating their PCI DSS 4.0 compliance roadmap, network tokenization represents the fastest path to scope reduction.
Token Lifecycle Management
A network token is not a static artifact. It has a full lifecycle—from creation to retirement—managed by the card network's Token Service Provider. Understanding this lifecycle is essential for operational reliability.
Provisioning
Provisioning is the initial creation of a token, as described in the step-by-step flow above. The token requestor submits the FPAN, the issuer approves the request, and the TSP issues a DPAN. The provisioning event is logged, and the token is assigned a status of Active. Provisioning may include additional verification steps depending on the issuer's risk policies and the token requestor's trust level.
Active Use
During active use, the token is submitted with each transaction alongside a fresh cryptogram. The TSP maintains the DPAN-to-FPAN mapping and generates cryptograms on demand. The merchant's systems interact only with the token—the FPAN never leaves the card network's vault. Transaction data (authorization responses, settlement records) is linked to the token for reconciliation.
Automatic Updates
When a cardholder's underlying card changes—due to expiration, loss, theft, or issuer-initiated reissue—the card network updates the FPAN associated with the token. The DPAN itself does not change. This means the merchant's stored token continues to work without any action from the merchant or the cardholder. This is the mechanism that eliminates involuntary churn for subscription and recurring payment businesses.
Automatic updates cover these common scenarios:
- Card expiration – New card issued with new expiry date and potentially new PAN
- Lost or stolen card replacement – New card number issued by the bank
- Card upgrade – Issuer replaces a standard card with a premium product
- Issuer-initiated reissue – Bank replaces cards proactively due to a data breach or portfolio migration
Suspend and Resume
A token can be temporarily suspended without being deleted. Suspension may be triggered by the cardholder (who reports the card lost and then finds it), the issuer (who suspects fraud and needs to investigate), or the token requestor (who pauses a subscription). A suspended token cannot be used for transactions but retains its DPAN-to-FPAN mapping. When the suspension is lifted, the token returns to Active status and transactions resume without re-provisioning.
De-Provisioning
De-provisioning permanently removes a token. The DPAN-to-FPAN mapping is deleted from the token vault, and the token can no longer be used for transactions. De-provisioning is triggered when the cardholder requests removal of their stored payment method, when the merchant cancels the customer's account, when the issuer permanently closes the underlying card account, or when the token requestor terminates their relationship with the merchant.
| Lifecycle Stage | Token Status | Transactions Allowed | Triggered By |
|---|---|---|---|
| Provisioning | Active | Yes | Token requestor submits FPAN, issuer approves |
| Active use | Active | Yes | Ongoing—token used with cryptogram per transaction |
| Automatic update | Active | Yes | Card network detects card reissue, updates FPAN mapping |
| Suspension | Suspended | No | Cardholder, issuer, or token requestor |
| Resumption | Active | Yes | Suspension reason resolved |
| De-provisioning | Deleted | No | Cardholder, merchant, issuer, or token requestor |
Card-on-File and Merchant-Initiated Transactions
Card-on-file (COF) tokenization and merchant-initiated transactions (MITs) are two of the highest-value applications of network tokens. Together, they address the core challenges of recurring payments, subscription billing, and stored-credential commerce.
The Expired Card Problem
Before network tokens, every stored card had a built-in expiration date. When the card expired, the stored credential became useless—the next charge would decline, and the business had to contact the customer to collect updated card details. With average card lifecycles of 3–4 years, a large subscription business could see 25–30% of its stored cards turn over annually. Each turnover event risked losing the customer entirely.
Account Updater services partially addressed this by periodically checking with card networks for updated card numbers. But Account Updater operates in batch mode (typically nightly or weekly), has incomplete coverage across issuers and geographies, and still results in a window where charges can fail before the updated PAN is retrieved.
Network tokens eliminate this problem. The token remains constant even when the underlying card changes. Updates propagate in real time through the card network, with no batch delays and no gaps in coverage. For subscription businesses, this means significantly fewer failed payments and a measurable reduction in involuntary churn.
MIT Classification and Network Tokens
Card networks classify transactions into categories based on who initiated them and whether the cardholder is present. The two primary categories for stored-credential transactions are:
Customer-Initiated Transactions (CITs)
- Cardholder actively participates
- Example: returning customer clicks “Pay” using stored card
- May include 3D Secure authentication
- The initial transaction that stores the credential is always a CIT
Merchant-Initiated Transactions (MITs)
- Merchant charges the stored credential without cardholder involvement
- Examples: subscription renewal, installment payment, delayed charge
- Must reference the original CIT via a transaction ID (trace ID)
- No 3D Secure—cardholder is not present to authenticate
Network tokens strengthen the MIT flow by providing the cryptogram as a transaction-level proof of legitimacy. When an issuer receives a MIT with a network token and valid cryptogram, it has much higher confidence that the charge is legitimate and was authorized by the cardholder through the original CIT. This confidence translates directly to higher approval rates for recurring charges—one of the most impactful benefits for subscription-based businesses.
For businesses processing Account Funding Transactions on stored credentials—such as recurring wallet loads or scheduled money transfers—the combination of network tokens and proper MIT classification ensures that these transactions are processed reliably, with the highest possible approval rates and the lowest possible fraud exposure.
Visa Token Service (VTS) vs Mastercard Digital Enablement Service (MDES)
The two largest card networks each operate their own Token Service Provider. Visa's is called the Visa Token Service (VTS), and Mastercard's is the Mastercard Digital Enablement Service (MDES). While both implement the EMVCo tokenization specification, they differ in several practical dimensions.
Head-to-Head Comparison
| Dimension | Visa Token Service (VTS) | Mastercard MDES |
|---|---|---|
| Parent standard | EMVCo Payment Tokenization Specification | EMVCo Payment Tokenization Specification |
| Token format | DPAN (Device PAN) in Visa token BIN range | DPAN in Mastercard token BIN range |
| Cryptogram type | TAVV (Token Authentication Verification Value) | DSRP cryptogram (Digital Secure Remote Payment) |
| Token requestor onboarding | Visa ID & V registration required | MDES Token Connect portal registration |
| Card-on-file support | Full support—e-commerce, recurring, MIT | Full support—e-commerce, recurring, MIT |
| Mobile wallet integration | Apple Pay, Google Pay, Samsung Pay, OEM wallets | Apple Pay, Google Pay, Samsung Pay, OEM wallets |
| Lifecycle management | Provision, suspend, resume, delete, auto-update | Provision, suspend, resume, delete, auto-update |
| Interchange incentive | 10 bps reduction on qualifying tokenized CNP | Market-specific incentives (varies by region) |
| Global issuer coverage | Broad—majority of Visa issuers support VTS tokens | Broad—growing rapidly, some regional gaps |
| API access model | Direct API or through approved token requestors (gateways, orchestrators) | Direct API or through approved token requestors (gateways, orchestrators) |
Key Differences in Practice
Cryptogram format: The most significant technical difference is in how each network generates and validates cryptograms. Visa uses the TAVV (Token Authentication Verification Value), while Mastercard uses the DSRP (Digital Secure Remote Payment) cryptogram. Both serve the same purpose—proving the transaction is legitimate and originated from an authorized token requestor—but they use different cryptographic methods. Payment processors and orchestrators must support both formats to process tokenized transactions across both networks.
Interchange incentives: Visa has published explicit, global interchange reductions for tokenized CNP transactions (10 bps). Mastercard's incentive structure varies by region and is less uniformly published. Merchants processing high volumes across both networks should verify the specific interchange treatment applicable in their operating markets.
Issuer coverage: Both networks have broad issuer support, but coverage is not 100%. Some smaller issuers and regional banks may not yet support network tokenization. When a token request is sent for a card whose issuer does not support tokenization, the TSP will return a decline, and the system must fall back to gateway tokenization or raw PAN processing. A well-designed integration handles this gracefully.
Practical recommendation: Most businesses do not interact with VTS or MDES directly. Instead, they work through a payment orchestrator or gateway that abstracts the network-specific differences. The orchestrator handles token provisioning, cryptogram generation, and lifecycle management across both networks through a unified API. This is the recommended approach for merchants that do not want to maintain separate integrations with each card network.
Implementation Guide: How to Adopt Network Tokenization
There are three paths to network tokenization, depending on your organization's size, technical capability, and existing payment infrastructure.
Path 1: Become a Direct Token Requestor
Large merchants and payment platforms can register directly with Visa and Mastercard as Token Requestors (TRs). This provides maximum control over the tokenization process but requires significant technical investment.
Requirements include:
- Registration with each card network (Visa ID & V, Mastercard MDES Token Connect)
- Building and certifying direct API integrations with VTS and MDES
- Implementing cryptogram generation and management
- Managing token lifecycle events (updates, suspensions, de-provisioning)
- Maintaining compliance with each network's Token Requestor standards
- Supporting multiple cryptogram formats (TAVV for Visa, DSRP for Mastercard)
This path is typically chosen by large e-commerce platforms, digital wallets, and payment service providers that process billions of dollars annually and need full control over their tokenization infrastructure.
Path 2: PSP-Managed Tokenization
The most common path for mid-market and enterprise merchants is to enable network tokenization through their existing payment gateway or orchestration platform. In this model, the gateway acts as the Token Requestor on behalf of the merchant.
This approach offers several advantages:
- No direct integration with card networks required
- The gateway handles token provisioning, cryptogram generation, and lifecycle management
- A single API serves both Visa and Mastercard tokenization
- Migration from gateway tokens to network tokens can often be done without re-collecting card details
- The merchant benefits from the gateway's existing Token Requestor certification and trust level
Most modern payment gateways and orchestrators now offer network tokenization as an opt-in feature. The merchant enables it in their configuration, and the platform begins requesting network tokens for new card-on-file enrollments—and in many cases, can backfill existing stored credentials with network tokens.
Path 3: Phased Migration
For businesses that already have a large base of gateway tokens and stored credentials, the recommended approach is a phased migration rather than a big-bang switch.
Enable for New Enrollments
Start by requesting network tokens for all new card-on-file enrollments. This requires no changes to existing stored credentials and allows you to validate the integration in production with new customers first.
Backfill High-Value Credentials
Prioritize existing stored credentials by transaction volume and value. Request network tokens for your highest-volume card-on-file accounts first, where the auth rate and fraud benefits will deliver the most impact.
Measure and Compare
Run A/B comparisons between network-tokenized and gateway-tokenized transactions. Measure authorization rates, fraud rates, and chargeback rates side by side. This data will validate the business case and inform the rollout pace.
Full Portfolio Migration
Once results are validated, backfill the remaining stored credentials. Implement fallback logic for cards where the issuer does not yet support network tokenization—these continue using gateway tokens until issuer support is available.
Optimize and Monitor
Continuously monitor token provisioning success rates, cryptogram validation rates, and authorization performance. Adjust routing rules to prefer network tokens where they deliver the best results, and fall back gracefully where they do not.
Glossary of Payment Tokenization Terms
| Term | Definition |
|---|---|
| PAN (Primary Account Number) | The 16-digit (or 15/19-digit) number on the front of a payment card that uniquely identifies the cardholder's account. This is the sensitive data that tokenization replaces. |
| FPAN (Funding PAN) | The real, original card number. In network tokenization, the FPAN is the card number stored in the card network's token vault and mapped to the DPAN. Also referred to as the “underlying PAN.” |
| DPAN (Device PAN / Token PAN) | The substitute card number issued by the card network's Token Service Provider. The DPAN has the same format as a PAN but is drawn from a dedicated token BIN range. It replaces the FPAN in merchant systems and transaction flows. |
| Cryptogram | A one-time, transaction-specific security code generated alongside each network token transaction. The cryptogram proves the transaction originated from an authorized token requestor and is valid only for a single transaction. Visa calls it TAVV; Mastercard calls it DSRP. |
| TSP (Token Service Provider) | The entity that issues, manages, and maintains the lifecycle of network tokens. Visa's TSP is VTS (Visa Token Service); Mastercard's is MDES (Mastercard Digital Enablement Service). Both follow the EMVCo specification. |
| Token Requestor (TR) | The entity that requests a network token from the TSP on behalf of a merchant. Can be the merchant directly, a payment gateway, a payment orchestrator, or a digital wallet provider. |
| EMVCo | The global technical body jointly owned by Visa, Mastercard, American Express, Discover, JCB, and UnionPay. EMVCo publishes the Payment Tokenization Specification that VTS and MDES implement. |
| CDE (Cardholder Data Environment) | The set of systems, networks, and processes that store, process, or transmit cardholder data. PCI DSS compliance requirements apply to all components within the CDE. Tokenization removes systems from the CDE by replacing PANs with non-sensitive tokens. |
| CNP (Card Not Present) | A transaction where the cardholder's physical card is not present at the point of sale—typically an online, phone, or mail order transaction. CNP transactions have higher fraud rates and are the primary beneficiaries of network tokenization. |
| Token Vault | The secure, PCI-compliant database that stores the mapping between tokens and the original PANs. For gateway tokens, the vault is operated by the payment gateway. For network tokens, the vault is operated by the card network's TSP. |
| VTS (Visa Token Service) | Visa's network tokenization platform. Manages the issuance, lifecycle, and cryptogram generation for Visa network tokens across e-commerce, in-app, and mobile wallet transactions. |
| MDES (Mastercard Digital Enablement Service) | Mastercard's network tokenization platform. Equivalent to VTS for Mastercard-branded cards, managing token issuance, lifecycle management, and DSRP cryptogram generation. |
| MIT (Merchant-Initiated Transaction) | A transaction initiated by the merchant using a stored credential, without the cardholder being present to authenticate. Examples include subscription renewals, installment payments, and no-show charges. |
| CIT (Customer-Initiated Transaction) | A transaction where the cardholder actively participates in the payment process. The initial card-on-file enrollment is always a CIT and serves as the consent basis for subsequent MITs. |
| PCI DSS (Payment Card Industry Data Security Standard) | The global security standard that governs how organizations handle cardholder data. Version 4.0 became mandatory in March 2025 and strengthened requirements for stored PAN protection, making tokenization an increasingly essential compliance strategy. |
Secure Your Payments with Inyo's Tokenization & Orchestration Platform
Inyo's payment orchestration platform supports network tokenization across Visa and Mastercard, with automatic token lifecycle management, cryptogram generation, and intelligent routing that maximizes authorization rates while minimizing fraud. Whether you are processing card-on-file payments, Account Funding Transactions, recurring subscriptions, or payment link collections—Inyo handles tokenization so you can focus on growing your business.
Reduce PCI scope, recover declined transactions, and stop leaving revenue on the table. Connect with our team to learn how network tokenization fits into your payment stack.
Related Articles
What is an AFT? Understanding Account Funding Transactions
Learn how Account Funding Transactions power digital wallets, prepaid cards, and online account deposits.
Payment Orchestrator vs Payment Gateway: What's the Difference?
Learn about the key differences between payment orchestrators and traditional payment gateways.