How ‘Tokens’ Will Kill Off Credit Card Numbers — And Why It Matters
Mastercard's announcement that it will eliminate 16-digit credit card numbers by 2030 put the payment industry's impending move to "tokenization" into sharp relief. Here’s what it means — for issuers, merchants and card users alike.
By Steve Cocheo, Senior Executive Editor at The Financial Brand
A new payments study by Juniper Research forecasts that the number of "global network tokenized transactions" will double in 2029, shooting to 574 billion from 283 billion in 2025. Specifically, the study refers to "network tokenization" and how the boom in adoption is driven by increasing risk of credit card fraud.
For many banking executives who don’t work directly in the payments space, the terminology can get hazy because the term "tokenization" can mean multiple things. This is especially so as blockchain technology sees increasing adoption, with its ability to "tokenize" assets.
In the payments area, and in the Juniper research, "tokenization" refers to "network tokenization," a process involving merchants, card issuers, various payments system third parties, and the card networks themselves that’s designed to hide consumers’ card payment account data from fraudsters. As actual plastic cards become less and less a factor in payments — "card not present" transactions, in payments parlance, from online commerce to digital wallets — the potential for fraud increases.
The arguments for network tokenization include increased acceptance when a consumer makes a purchase, a benefit for the buyer, the merchant and the card issuer, all of whom want to see legitimate transactions go through. The intent is to improve authorization rates while reducing the risk of fraud. Juniper’s research suggests that a factor that will accelerate interest in tokenization is Apple’s decision to allow third-party developers to access iPhones’ near-field-communication chip, which could encourage introduction of more digital wallets.
Let’s explore what the term "network tokenization" means, step by step. The following explanatory article draws on a white paper from Juniper as well as materials published by Mastercard, Visa, American Express, EMVCo, JPMorgan Payments and IBM.
Basics of Tokenization for the Layman
Various animated videos explaining tokenization use images of keys or cartoonish token shapes to symbolize the idea of an abstract item — a string of numbers — that can simultaneously unlock a payments process while being useless to a criminal intercepting the string.
A post by IBM describes a digital token as "a collection of characters that serve as an identifier for some other asset or piece of information." In the case of payment cards, the idea is to replace the cardholder’s "primary account number," or PAN, with an equal string of randomly generated digits that, even if discovered en route, would be as useless to a fraudster as the real PAN would be useful.
Don’t confuse tokenization with another method tried in the past to safeguard card account numbers: encryption.
Says the IBM post: "Tokenization replaces sensitive data with strings of nonsensitive (and otherwise useless) characters. Encryption scrambles the data so that it can be unscrambled with a secret key, which is known as an encryption key."
Network tokenization relies on numbers that contain the same number of digits as the actual PAN. A JPMorgan Payments paper explains that this is done "to enable smooth integration into existing transaction processes" — like for like, in other words.
There are other forms of card tokenization, such as merchant-based tokenization. What sets network tokenization apart is that the tokens are issued by the card networks or parties operating on their behalf, and the tokens issued in this way can travel throughout the payment stream as is. The term used in the field is "interoperable."
The card networks coordinate technical standardization of network tokenization through an international interindustry group, EMVCo. The organization marked its 25th anniversary in 2024. It was originally founded to provide standards for now ubiquitous chip cards, but serves many other payments purposes now, including network tokenization.
The card networks provide multiple pathways for the tokenization of cards that consumers enroll with merchants for purchases.
Read more: Musk’s X Money Begins to Show Its Cards
How Tokenization Works in the Flow of Transactions
Juniper’s report describes the process as follows, along the lines of the diagram below.
Creation of the network token begins when a consumer puts their card information onto a merchant’s website, into a mobile app, or a personal digital device like a phone, tablet or digital watch. At that time the merchant requests a token, via a token requestor, through the appropriate card network, to the issuing bank. (This part of the process is represented by the dark red arrows.)
If the bank approves the consumer’s account for a token, the card network’s token services provider produces a token to substitute for the PAN. The token is routed back to the token requestor on the merchant’s behalf. The requestor stores the token. (The flow of the token is represented by the bright red arrows.)
The token services provider — such as Visa Token Service and Mastercard Gateway — operates a "token vault" which is where the record of what PANs go with which tokens resides.
Once a token is established — in a purchase, this has all gone on in the background — the transaction is processed as usual. The exception is that the token is used instead of the PAN. The request for authorization of the purchase is routed to the card issuer via the payment network. The approval or denial of the purchase goes back to the merchant via the card network.
Read more:
How Tokenization Can Improve Results
Merchants who go with tokenization get the benefit of lower fraud risk, notes the Juniper white paper, and "the responsibility of verifying the cardholder’s account and the financial liability for chargebacks are shifted from the merchant to the issuing bank." The paper also points out that using tokenization can result in lower interchange fees, a matter of high interest to merchants.
A benefit to consumer, merchant and card issuers is that once a network token is created in the system, it is designed to update itself.
For example, when a physical card hits its expiration date, so long as the account is renewed by the card issuer, the consumer need not update the account information for the card to continue to be accepted. That’s handled automatically. Similarly, if a physical card is reported lost or stolen, it can still be used in its tokenized, digital form while the replacement card is being processed and sent. A JPMorgan Payments paper points out the value of this in cases where consumers use the card for recurring purchases, such as subscriptions and incremental payment plans, such as buy now, pay later.
(While tokens are created to be reused, a one-time technology that this process uses to re-authenticate the merchant is a single-use "cryptogram." This one-time code is generated by the merchant’s account or the "card" stored inside the consumer’s device, according to an Mastercard backgrounder.)
Among the benefits promoted for tokenization are reductions in fraud but also "uplift" in approved transactions. This varies depending on how the improvement is measured, but a figure often cited in Visa materials is 4% for card-not-present transactions. The idea is that the token gives issuers greater assurance in approving purchases.
The viewpoint of customer experience, network tokenization is said to reduce "false declines."
These are legitimate transactions that are rejected because they are erroneously detected to be fraudulent. Since both consumer and merchant want the transaction to go through — as do card issuers, so long as it is valid — this is a major selling point for tokenization. In a world where payments fraud continues to rise, you can see how adoption of this technique could take off at the rate predicted by Juniper.
