Network Tokens

The Card Schemes are increasingly promoting Network Tokens across the payments ecosystem — and with good reason. They offer higher authorisation rates, reduced fraud, and lower risk from compromised card numbers. This paper takes a deeper look at Network Tokens and outlines why every retailer now needs a strategy for their adoption.

What are Network Tokens?

• A Network Token (or EMV Token) is a card-network-issued token that replaces the real card number in a transaction, using a PAN-like format.
• Tokens cannot be reversed back into the underlying card number, making them far less attractive and useful to fraudsters.
• A single PAN can support multiple tokens — for Apple Pay, Google Pay, Click to Pay, or merchant-specific uses.
• Token provisioning typically involves an issuer- or scheme-led authentication step, such as an SMS OTP or an approval through the banking app.
• Once created, each transaction using that token is authenticated by the user, for example via biometrics on an iPhone for Apple Pay or via Passkeys in Click to Pay (it is the combination of Passkeys and Network Tokens that differentiates Click to Pay from earlier scheme wallet attempts — delivering strong security without adding friction).

Types of Network Tokens

• Digital Wallet Tokens — Apple Pay and Google Pay remain the most familiar use cases, and were the first token types deployed at scale.
• Merchant Card-on-File Tokens — These replace (or sit alongside) PSP-issued tokens, and may be merchant or PSP specific depending on business requirements.
• Click to Pay Tokens — The EMVCo wallet solution. Tokens can often be provisioned through a customer’s banking app so the PAN never leaves the issuer/scheme ecosystem.
• Agent-Specific Tokens — The next wave, enabling AI agents to transact securely on a consumer’s behalf, using tightly scoped tokens.

Benefits of Network Tokens for Consumers and Retailers

• Higher Authorisation Rates – Tokens remain current when the underlying card changes, reducing lifecycle declines in subscriptions and card-on-file use cases.
• Lower Friction – Authentication via biometrics or Passkeys simplifies checkout flows. Customers can transact across merchants without needing to re-enter card data or save their card.
• Improved Fraud Mitigation — and a foundation for Agentic Commerce – Consumers share their PAN less frequently, reducing attack vectors. Stolen tokens are hard to misuse; many are device- or merchant-bound. This reduces fraud and false declines.
• PCI Benefits – Tokens help remove PANs from merchant systems entirely. Caution: handling both a Network Token and cryptogram may still place a merchant in SAQ D scope.
• Payment Account Reference (PAR) – PAR links all tokenised and PAN transactions for a given card account across channels. This enables richer fraud prevention, loyalty integration and customer service, and bridges previously disconnected datasets.

Card Scheme Mandates and Fees

The schemes are taking different but converging approaches.

Mastercard has clearly committed to phasing out PAN-based e-commerce transactions in Europe by 2030 and establishing tokenisation as the default. It has mandated that e-commerce service providers support EMV Click to Pay and tokenisation, with a defined timetable already in motion.

Visa is applying a behavioural approach. Rather than mandating tokenisation, Visa has substantially increased the fee for not using a Network Token (or PAN with 3DS). The latest adjustment — 0.075 per cent of the transaction value — creates a strong commercial incentive for merchants and PSPs to shift to tokens.

Combined with PCI non-compliance fines and issuer-driven wallet adoption, the direction of travel is clear: remove PANs from merchant environments wherever possible.

Conclusion

• Use tokens to enhance PCI compliance and reduce your fraud attack surface.
• Reduce lifecycle declines with token updates and card-updater services.
• Implement Click to Pay and other digital wallets to reduce friction and raise approval rates.
• Feed PAR into MI, loyalty and fraud systems to strengthen your data.

The result is better security, lower operational risk, smoother checkout and higher conversion.

What Should Retailers Do Next?

1. Engage with your PSPs to understand their tokenisation capabilities.
2. Decide whether PSP-managed tokens or becoming your own Token Requestor best fits your PCI, control and portability needs.
3. Map out how you will meet Mastercard tokenisation mandates over the coming years.
4. Quantify the commercial upside of shifting higher volumes of transactions to tokens.
5. Assess how PAR could strengthen your fraud, loyalty and omnichannel data.
6. Build a roadmap that enhances PCI compliance, fraud detection, conversion and payment cost management.

CBS Change Partners have 20 years of experience across the evolving payments landscape. We can help you identify the opportunities, reduce the risks, and implement a practical strategy to unlock the full value of Network Tokens.