The payment industry’s focal point is the card number. Whether it’s a business asking a customer to read it off their plastic card, a cardholder keying it into a website checkout page, a number stored in a CRM, saved in a billing platform, or secured inside a payment processor’s vault, the 15- or 16-digit primary account number (PAN) sits at the foundation of payment processing for commerce.
Businesses build processes and best practices around it. Software vendors build integrations around it, payment processors build infrastructure around it, and fraudsters build entire industries around stealing card numbers.
But what happens when the card number itself becomes less important?
Businesses that scale quickly, like ecommerce or subscription-based companies handling higher volumes of payment authorization attempts still focus primarily on processing rates, chargebacks, and payment acceptance. Meanwhile, a shift is taking place behind the scenes that will impact authorization optimization.
What is credit card tokenization?
At its simplest, tokenization is the process of replacing sensitive payment card information with a non-sensitive numeric value called a token. A token has no value outside the environment in which it was created. Instead of saving a customer’s actual card number, a merchant can securely store this token in a customer payment profile, also known as a card manager, and use it for future card-on-file transactions.
Where tokenization shows up in practice
In practice, we encounter tokens in more situations than most businesses realize. As a merchant services provider, the contexts in which we discuss and interact with tokens are multifaceted.
A merchant decides to switch processors and discovers that thousands of customer payment profiles are stored in the previous processor’s vault; we step in and facilitate the token transfer.
A software vendor wants to offer an integrated payments module, or an existing integration partner wants to update their integration to include recurring billing and needs a secure way to store customer profiles; we open and oversee the integration project and help them choose an option that keeps them out of PCI scope.
An ERP implementation requires payment credentials to be saved for future invoices; we present options to securely accomplish this.
Or a business begins using subscription billing software and needs to switch payment gateways; we work through how to export the tokens and import them into a new card manager for access by that gateway.
In all these use cases, tokenization historically solved a very specific problem: securing payments during transaction transmission. It helped industry software vendors and the businesses that use their software remain PCI compliant and reduced the risk of sensitive data being exposed during a breach. But our conversations around tokenization are changing. Today, tokenization is being used to solve operational challenges that extend beyond security alone.
Understanding the different types of tokens
Once tokenization becomes an operational decision and not just a security one, the type of token you use starts to matter. Not all tokens are created equal.
Understanding the differences is becoming important as businesses and SaaS companies evaluate payment strategies and technology investments.
Hosted tokens are created and stored by payment gateways or payment service providers (PSPs), which maintain the token vault and control access to the underlying card information. The advantages are clear: PCI scope is reduced and implementation is straightforward.
Local tokens are created and managed by the payment processor, but the merchant or software application also stores the token numbers in its own database and uses them for future transactions. This approach provides more flexibility than traditional hosted tokens while still reducing exposure to sensitive payment data.
For many, this sounds like a technical discussion, but it is rapidly becoming an operational one. Understanding the limitations surrounding token providers and token types will help businesses and SaaS companies grasp the direction tokenization is moving, how it affects them, and even prepare for the future of AI-driven commerce.
The limitation of traditional tokens
These tokens only work within the specific environment they reside in. If you want to move to another provider, gateway, or infrastructure model, portability can become a challenge. The token is effectively trapped within a single domain.
These limitations are driving shifts within the payments ecosystem across all payment players. The newest generation of processor-managed tokenization services is evolving beyond simple security tools into centralized customer payment management platforms. At Elavon, for example, token management has progressed from a legacy Protegrity token provider, to an enterprise token solution using Voltage as a provider, and now to an enhanced tokenization service, backed by Visa, designed to support customer lifecycle management, broader analytics capabilities, and network tokenization.
Network tokens
What’s the difference between traditional and network tokens?
Traditional hosted or local tokens generally live inside a gateway (i.e. Authorize.net), a processor (Elavon), a software platform, or a payment ecosystem. Network tokens live at the card network level.
Network tokens are payment credentials created and managed directly by the card networks themselves, Visa, Mastercard, American Express, or Discover. This is where the industry is heading. Instead of tokens existing only within a gateway, processor, or software platform, the token is tied to the card network. The PAN is replaced with a network-issued credential (a virtual card number linked to the real account) that is used for secure payment processing; the network manages the relationship between the token and the payment processor’s underlying account.
One of the most interesting aspects of network tokenization is that the network can maintain the token lifecycle on behalf of the merchant. Traditionally, a value-added feature known as account updater would need to be added to a payment gateway. With network tokens, if a card expires, is replaced, or is reissued after being lost or stolen, the network can update the credential relationship behind the scenes and notify the processor of the underlying account, so recurring or subscription transactions continue to work without anyone needing to update payment information at the merchant level.
What is driving the adoption of network tokens?
To understand the move toward network tokens, it helps to see the three problems tokenization has solved. First, security in transit: the original job of a token was to keep the card number out of your system. Second, card-on-file convenience: once you can store an encrypted card number, you can bill again without asking the customer to dig out their card. This is what powers subscriptions, saved wallets, and one-click online orders. Third, and this is where the payments ecosystem now sits, lifecycle and portability. Local tokens were good at security and convenience but bad at change. Network tokens were built to fix that, and card networks are steering the online industry toward them with the following incentives:
Decreased ecommerce fraud threats: Fraud continues to evolve: card-testing attacks, credential stuffing, compromised databases, and stolen payment credentials. As fraudsters become more sophisticated, protecting static card numbers becomes increasingly difficult. Network tokens reduce the exposure of actual card credentials and create additional layers of security. Visa reports a 30% reduction in online fraud versus when using raw PAN. This represents the evolution of payment data protection, and it raises an interesting question: could the era of stolen card data eventually become far less valuable?
Improved Authorization Rates: Declined transactions are a sore point for online merchants, and authorization optimization is one of the biggest opportunities in payments. Visa has seen a 4.6% increase in authorization rates for network-tokenized transactions compared to traditional card credentials in card-not-present (CNP) environments. For subscription businesses, this can have a tremendous impact on revenue.
Reduced subscription churn: One of the biggest causes of churn and failed payments is expired cards. Network tokens reduce this problem by keeping credential lifecycles current.
Cost savings: Certain transaction types qualify for lower interchange rates when using network-tokenized credentials.
Better customer lifecycle management: Customer relationships rarely exist within a single application. Network tokens centralize credential management across environments and maintain the customer lifecycle.
Not every business needs network tokens for every use, and a modern token management service improves local tokens too. The online businesses and software vendors that benefit most from adopting network tokens are any businesses or ISVs that rely on continuous customer billing. Even more so if they apply a layered strategy alongside 3D Secure and fraud and chargeback protection.
Token enhancement impact on Payment Integrations
Software vendors, point-of-sale providers, property management systems, and other integrated platforms may need to make updates to support newer tokenization capabilities. Examples of payment field updates that may be needed within their APIs include:
- Supporting 19-digit token values
- Sending a token indicator
- Storing token-related API response fields
- Replacing legacy tokens
- Supporting additional requirements (i.e., providing a URL) for network token functionality
If you process with Elavon, the shifts are already in motion. Elavon will support both bulk token migrations, sending current tokens and returning new token values, and migration on an as-needed basis.
Looking ahead
An interesting aspect of tokenization’s evolution is not the technology itself, but what that technology is enabling.
What began as a way to protect card numbers is now becoming a mechanism for managing customer payment credentials across channels, providers, payment platforms, and even future agentic AI commerce experiences.
The payment industry spent years protecting the card number; now it is more about making that card number matter less altogether. The businesses that embrace this transition as part of their growth strategy will come out with fewer declines, less churn, lower fraud exposure, and a payment stack that is ready for whatever pays next.
Whether you’re evaluating your payments strategy, planning an integration, or preparing for a platform migration, we’ll help you navigate the complexity and identify the best path forward. Reach out to discuss.
