April 16, 2026 9 min read

Network Tokenization with Visa and Mastercard — Why PSP Tokens Aren't Enough

PSP tokens protect your vault. Network tokens protect the entire transaction chain — and they quietly boost your authorization rates by 5-10%. Here's what I learned implementing both.

The Two Layers of Tokenization Most Teams Confuse

When I first started working with card-on-file payments, I assumed tokenization was tokenization. We had Stripe tokens in our vault, PCI scope was reduced, and life was good. Then our authorization rate on recurring charges started dipping — 82%, then 79% — and I couldn't figure out why. Cards were expiring, getting reissued after fraud, and our stored tokens were silently going stale.

That's when I dug into network tokenization, and it changed how I think about the entire card storage problem.

Here's the distinction that matters: PSP tokens (like Stripe's pm_xxx or Adyen's recurringDetailReference) are references that live inside your payment processor's vault. They map back to a PAN that your PSP stores. Network tokens are issued by Visa (via Visa Token Service) or Mastercard (via Mastercard Digital Enablement Service) and replace the PAN at the network level itself. The issuing bank knows about them. The network knows about them. They're first-class citizens in the payment ecosystem.

PSP Token Flow
Your App sends pm_abc123
PSP resolves token → PAN
PAN sent to Visa/MC network
Issuer authorizes (or declines)
⚠ If card reissued, PAN is stale → decline
Network Token Flow
Your App sends network token + cryptogram
Visa/MC validates token + cryptogram
Network resolves to current PAN
Issuer authorizes with confidence
✓ Card reissued? Token auto-updates

The critical difference is where the detokenization happens. With PSP tokens, your processor resolves the token to a PAN before it hits the network. With network tokens, the network itself manages the mapping — and the issuer sees a transaction flagged as tokenized, which signals higher trust.

Why Network Tokens Boost Authorization Rates

This was the part that surprised me most. When we rolled out network tokens on a subscription billing platform processing about 400K transactions per month, our authorization rate on recurring charges went from 81% to 88% within the first billing cycle. That's not a rounding error — that's real revenue.

+7%
Auth Rate Uplift
(Our recurring billing)
~4%
Cards Reissued Monthly
(Industry average)
0
Card Update Requests
(Network tokens auto-refresh)

Three things drive this improvement:

  1. Issuer trust signals. When an issuer sees a network-tokenized transaction, it knows the token was provisioned with their consent and is domain-restricted. This reduces false declines from fraud models.
  2. Transaction cryptograms. Each network token transaction includes a unique cryptogram — a one-time-use proof that the token is being used by the authorized merchant, in the authorized channel. Issuers love this.
  3. Automatic credential updates. This is the killer feature. When a cardholder's bank reissues their card (new expiry, new number after fraud), the network token automatically maps to the new PAN. Your stored token just keeps working. No account updater service needed, no failed charges, no churn.

The Lifecycle: How Network Tokens Actually Work

Understanding the lifecycle helped me reason about failure modes and debug issues in production. Here's how it flows:

1. Provisioning

You (or your PSP on your behalf) submit a PAN to the Token Service Provider (Visa or Mastercard). The network contacts the issuing bank, which decides whether to approve the token request. If approved, you get back a network token (looks like a PAN but isn't one) and a token reference ID. The token is scoped to your merchant ID and a specific domain — e-commerce, recurring, or card-on-file.

2. Cryptogram Generation

Before each transaction, you request a transaction-specific cryptogram from the token service. This cryptogram is a short-lived, single-use value that proves the token is being used legitimately. Think of it like a dynamic CVV that changes every transaction. For Visa, this is called a TAVV (Token Authentication Verification Value). Mastercard calls theirs a DSRP cryptogram.

3. Domain Restriction

Network tokens are locked to a specific presentment domain. A token provisioned for e-commerce card-on-file can't be used for in-store tap-to-pay. This is enforced at the network level — the issuer won't see a mismatch and decline. It's a security feature that also happens to boost approval rates because the issuer knows exactly what context the token is being used in.

4. Lifecycle Management

The network maintains the token-to-PAN mapping. When the underlying card changes, the network updates the mapping and sends a token status update notification. Your token stays the same. The cardholder doesn't need to re-enter anything. This is what makes network tokens fundamentally different from any PSP-level solution.

Implementation: PSP-Managed vs Direct Integration

There are two paths, and I've worked with both. For most teams, the PSP-managed route is the right call.

Through Your PSP (Recommended for Most)

Stripe, Adyen, Braintree, and most major PSPs now support network tokenization as a feature you can enable. With Stripe, for example, you can request network tokens when saving a card:

// Request network token when creating a PaymentMethod
const paymentMethod = await stripe.paymentMethods.create({
  type: 'card',
  card: {
    number: '4242424242424242',
    exp_month: 12,
    exp_year: 2028,
    cvc: '314',
  },
  // Stripe automatically provisions network tokens
  // when available for eligible cards
});

// When charging, Stripe uses the network token + cryptogram
// transparently — no code changes needed
const paymentIntent = await stripe.paymentIntents.create({
  amount: 2999,
  currency: 'usd',
  payment_method: paymentMethod.id,
  confirm: true,
  // Network token is used automatically if provisioned
  // You can check via the payment method's card.networks field
});

With Adyen, you explicitly opt in via the storePaymentMethod flag and can check the networkTxReference in the response to confirm a network token was used. The beauty of the PSP-managed approach is that your integration code barely changes — the PSP handles provisioning, cryptogram generation, and lifecycle management behind the scenes.

Direct Integration (For Large Merchants)

If you're processing at serious volume (think millions of transactions per month) and want full control, you can integrate directly with Visa Token Service or Mastercard MDES. Here's what a direct provisioning request looks like conceptually:

// Direct VTS token provisioning request (simplified)
POST /vts/provisionedTokens HTTP/1.1
Host: api.visa.com
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "clientTokenRequestId": "req_20260416_abc123",
  "tokenType": "ECOMMERCE",
  "cardholderInfo": {
    "primaryAccountNumber": "4111111111111111",
    "expirationDate": {
      "month": "12",
      "year": "2028"
    }
  },
  "tokenRequestorInfo": {
    "tokenRequestorId": "40012345678",
    "merchantName": "Acme Subscriptions"
  }
}

// Response includes:
// - networkToken: "4895370012341234" (token PAN)
// - tokenReferenceId: "DNITHE382..."
// - tokenStatus: "ACTIVE"
// - tokenExpirationDate: { month: "12", year: "2030" }

Heads up: Direct integration requires you to become a registered Token Requestor with each network. That means contracts, certification testing, and ongoing compliance obligations. Unless you have a dedicated payments infrastructure team, go the PSP route.

When to Use Network Tokens vs PSP Tokens

This isn't an either/or decision. In practice, you'll use both — PSP tokens as your application-level reference, with network tokens working underneath. But here's when network tokens deliver the most value:

Aspect PSP Tokens Network Tokens
Scope Within your PSP only Across the entire network
Card Reissue Handling Requires Account Updater Automatic — token stays valid
Auth Rate Impact Baseline +5-10% uplift typical
Cryptogram None (static PAN sent) Per-transaction dynamic cryptogram
Issuer Visibility Sees raw PAN Sees tokenized + domain info
PSP Portability Locked to one PSP Portable across PSPs (with direct integration)
Best For One-time charges, simple setups Subscriptions, card-on-file, high-volume recurring
Setup Complexity Minimal — default behavior Low via PSP, high for direct integration

My rule of thumb: if you're storing cards for future use — subscriptions, one-click checkout, recurring invoices — you should be using network tokens. The auth rate improvement alone pays for the integration effort many times over. For one-time guest checkouts, PSP tokens are perfectly fine.

Lessons from Production

A few things I wish someone had told me before we started:

Bottom line: Network tokenization isn't a nice-to-have anymore. If you're running any kind of recurring or card-on-file business, the authorization rate uplift and automatic card lifecycle management make it one of the highest-ROI infrastructure investments you can make. Start with your PSP's managed offering — you can get 80% of the benefit with almost zero code changes.

References

Disclaimer: This article reflects the author's personal experience and opinions. Product names, logos, and brands are property of their respective owners. Pricing and features mentioned are subject to change — always verify with official documentation.

Related Articles

Looking to implement network tokenization or improve your payment authorization rates?

Get in Touch