Report Highlights

Understanding network tokenisation: A Buyer's Overview

Network tokenisation is a security and performance infrastructure layer that replaces a cardholder's Primary Account Number with a unique, cryptographically bound token issued and managed by card networks such as Visa, Mastercard, and American Express. Unlike acquirer or gateway tokenisation, network tokens carry dynamic cryptograms validated by the issuer at the point of authorisation, meaning each transaction carries a one-time proof of legitimacy. The primary buyers of tokenisation services are payment facilitators, acquirers, large merchants operating direct card acceptance, digital wallet providers, and increasingly embedded finance platforms integrating card payment rails into non-traditional product experiences.

From a procurement perspective, the market is structured around card network token service APIs as the foundational layer, with a secondary layer of token requestor intermediaries — including Spreedly, Basis Theory, and MDES/VTS integration specialists — who abstract multi-network provisioning into a single commercial relationship. Contract structures vary significantly: direct network agreements require volume commitments and technical certification cycles of 6–18 months, while third-party token requestor platforms offer faster onboarding under SaaS pricing models. Competition at the intermediary layer is intensifying, giving buyers meaningful leverage on commercial terms for the first time in this category.

Factors driving network tokenisation procurement

Three procurement triggers dominate current spending decisions. First, card network mandates on declining-PAN transactions are tightening. Visa's April 2025 requirement that all token requestors connected to its network maintain active domain validation creates a hard compliance deadline rather than an aspirational goal. Merchants that have not completed VTS or MDES integration by these mandated dates face direct authorisation rate penalties — a quantifiable revenue loss that converts security spend into a recoverable cost-of-inaction calculation. This regulatory pressure is the single fastest-moving procurement trigger in the market today.

Second, the proliferation of digital commerce channels — including in-app purchases, buy now pay later integrations, connected device payments, and subscription billing — has expanded the attack surface for card data exposure. Each new channel requires a token requestor registration, creating ongoing procurement activity for merchants scaling their digital estate. Third, issuer-side pressure is accelerating adoption: Citibank, JPMorgan Chase, and HSBC are actively reducing interchange on non-tokenised card-not-present transactions in select markets, creating a direct cost differential that procurement teams can model and present as a capital allocation case.

Challenges buyers face in the network tokenisation market

The most operationally damaging challenge is multi-network certification complexity. Achieving token requestor status with both Visa Token Service and Mastercard Digital Enablement Service requires separate technical certifications, distinct API architectures, and separate commercial agreements, despite delivering the same functional outcome. For merchants with large international card mixes, adding UnionPay tokenisation and American Express SafeKey creates a portfolio management burden that routinely extends implementation timelines from an expected 6 months to over 18 months in practice. Integration teams frequently underestimate the QA cycles required for token lifecycle management — specifically token updates triggered by card reissuance events — which generate silent authorisation failures if not handled correctly.

Total cost of ownership surprises are the second major challenge. Buyers entering this market frequently model only provisioning costs and overlook the operational cost of token lifecycle management infrastructure: webhook handling for token status updates, storage of token-to-PAN mappings for dispute resolution, and the ongoing cost of maintaining token requestor certifications as card networks update their specifications annually. Vendor lock-in is a genuine structural risk at the aggregator layer — platforms that store vaulted tokens on behalf of merchants create switching costs that can reach seven figures when migrating to an alternative processor, because token portability standards across vendors remain immature.

Emerging opportunities worth watching in network tokenisation

Click-to-pay standardisation represents the most commercially significant near-term opportunity for buyers. The EMVCo-backed Click to Pay specification, now supported natively by Visa, Mastercard, and Amex, creates a single guest checkout experience powered by network tokens across all participating merchants. For buyers currently managing separate integrations for each network's express checkout product, Click to Pay consolidation reduces integration complexity and provisioning costs materially. Early adopter merchants including Gap Inc. and Best Buy have reported measurable checkout conversion improvements — a metric that translates directly into procurement ROI calculations when presenting investment cases internally.

Account-to-account payment tokenisation is an emerging category that procurement teams should monitor over a 2–3 year horizon. The UK's Pay.UK and the European Payments Council are exploring token frameworks for open banking payment flows that mirror network tokenisation's security architecture for bank-pull transactions. If these frameworks achieve merchant acceptance scale, they introduce a competing tokenisation procurement layer that could partially displace card network token spend in high-volume recurring billing environments. Buyers who understand the token infrastructure they are building today will be better positioned to evaluate a2a tokenisation investments without duplicating underlying vault and lifecycle management capabilities already in place.

How to evaluate network tokenisation suppliers

The three most critical evaluation criteria specific to this market are token requestor certification breadth, token lifecycle management robustness, and authorisation rate transparency. Certification breadth matters because a supplier certified only with Visa and Mastercard leaves buyers exposed on American Express and UnionPay card volumes — a gap that becomes material for merchants with significant international traffic. Token lifecycle management robustness — specifically the supplier's ability to receive and propagate card account updater events from all connected networks within under 24 hours — directly determines the silent decline rate on stored credential transactions. Any supplier unable to provide documented SLA metrics on token update propagation latency should not advance past RFP stage. Authorisation rate transparency requires suppliers to provide per-BIN, per-network tokenised versus non-tokenised authorisation rate benchmarks from their existing merchant base, not aggregate claimed improvements.

The most common evaluation mistake buyers make is treating network tokenisation as a commodity service and selecting suppliers on price per token provisioning event alone. This systematically underweights lifecycle management quality, which is where performance divergence between suppliers becomes operationally visible — typically 6–9 months post-deployment when renewal-triggered token failures begin accumulating in subscription billing environments. A supplier that looks strong on paper but underdelivers invariably has weak webhook reliability, inadequate network specification change management, and no dedicated implementation engineering support for certification cycles. Buyers should require reference checks specifically from merchants who have undergone at least one major network specification update cycle with the supplier — that experience reveals true operational capability far more accurately than pre-sales certification claims.

Market at a Glance

Regional demand: Where network tokenisation buyers are

North America is the most mature demand region, driven by the high card-not-present transaction volume of US e-commerce and the aggressive tokenisation roadmaps published by Visa and Mastercard for their US issuer and merchant base. US buyers have the broadest supplier choice and the most competitive pricing at the intermediary layer. Europe is the fastest-growing region, with PSD2 strong customer authentication requirements and the European Banking Authority's ongoing regulatory technical standards compelling card-on-file merchants to adopt token-based transaction credentials to satisfy SCA exemption frameworks. The UK market specifically is seeing accelerated token adoption as merchants seek to reduce friction from SCA challenges on recurring transactions.

Asia Pacific presents the most procurement complexity of any region. Payment ecosystems in Southeast Asia operate across card rails, domestic debit schemes, and wallet networks simultaneously, meaning token requestor strategies must accommodate Visa and Mastercard tokenisation alongside local network specifications in markets including Thailand, Indonesia, and the Philippines. Australia's NPP real-time payment infrastructure and India's RuPay token framework introduce region-specific procurement requirements that global token aggregators do not uniformly support. The Middle East and Africa region is early-stage but growing, with Saudi Arabia's Vision 2030 digital payments initiative and Nigeria's Central Bank digital payment expansion programmes creating structured demand from government-adjacent payment infrastructure buyers that procurement teams targeting this region should engage proactively.

Leading Market Participants

• Visa
• Mastercard
• American Express
• Thales Group
• Giesecke+Devrient
• Spreedly
• Basis Theory
• TokenEx
• Very Good Security (VGS)
• Rambus (acquired by Visa)

What comes next for network tokenisation

Over the next 3–5 years, three changes will materially affect procurement strategy. First, EMVCo's push toward universal token interoperability — allowing a single provisioned token to be valid across multiple networks — will shift competitive differentiation away from provisioning and toward value-added services including fraud scoring, token-linked loyalty, and real-time spend analytics. Buyers who have locked into proprietary token vault architectures will face renegotiation leverage challenges as interoperability reduces switching costs and new intermediary entrants compete on analytics capability rather than token management alone. Second, AI-driven dynamic token risk scoring is being piloted by Mastercard and Visa to replace static token-domain restrictions, meaning token authorisation behaviour will become adaptive rather than rule-based — changing how buyers configure and audit their token environments.

The practical implication for buyers is to resist long-term proprietary vault commitments exceeding three years until interoperability standards from EMVCo mature into commercially available implementations, expected between 2026 and 2028. Buyers should instead negotiate contract terms that explicitly preserve token portability rights and include data export SLAs in vendor agreements signed today. Simultaneously, procurement teams should begin internal capability building around token analytics consumption — specifically integrating token-level authorisation data into existing payment operations dashboards — so that when network-provided token intelligence services become commercially available, the organisation is positioned to derive immediate value rather than requiring a further implementation cycle.

Market Segmentation

By Component

• Token Provisioning Services
• Token Lifecycle Management
• Token Vault Solutions
• Authentication and Cryptogram Services
• Analytics and Reporting
• Professional and Integration Services

By End User

• Large Merchants and Retailers
• Payment Service Providers
• Digital Wallet Operators
• Financial Institutions and Issuers
• Subscription and Recurring Billing Platforms
• Embedded Finance Platforms

By Transaction Channel

• E-commerce and Card-Not-Present
• Mobile In-App Payments
• Contactless and NFC
• Recurring and Stored Credential
• Click-to-Pay and Express Checkout

By Deployment Model

• Direct Network Integration
• Token Requestor Aggregator Platform
• Cloud-Hosted Token Vault
• Hybrid On-Premise and Cloud

Frequently Asked Questions

Q1. What is the difference between network tokenisation and gateway tokenisation ▼

Network tokens are issued and validated by the card network itself, carrying dynamic cryptograms that the issuer authenticates at authorisation — delivering higher approval rates than static gateway tokens. Gateway tokens replace card data only within a single processor's environment and provide no network-level authorisation performance benefit.

Q2. How long does network tokenisation implementation typically take ▼

A direct integration with a single card network's token service typically requires 6 to 12 months including certification, testing, and production deployment. Using a token requestor aggregator platform can compress timelines to 8–16 weeks, though this introduces a third-party dependency into the payment stack.

Q3. What pricing model should buyers expect from token intermediary platforms ▼

Most intermediary platforms price on a per-token provisioning event basis, with additional fees for token lifecycle management API calls and vault storage above included thresholds. Buyers with high card-on-file volumes should model total cost across provisioning, update events, and storage rather than evaluating provisioning unit cost alone.

Q4. How does network tokenisation affect PCI DSS compliance scope ▼

Network tokenisation reduces PCI DSS compliance scope by removing Primary Account Numbers from merchant systems, since tokens are not card data under PCI Council definitions. However, merchants must still maintain PCI compliance for any environment where PANs transit prior to tokenisation, including initial card capture flows.

Q5. Can tokens provisioned by one network be used across other networks ▼

Currently, Visa Token Service tokens are not valid on Mastercard rails and vice versa — each network issues tokens bound to its own scheme. EMVCo is developing cross-network token interoperability standards, but commercial availability is not expected before 2027 at the earliest.