Table of Contents
- Overview
- How does Network Tokenization work?
-
Partner Experience
- Merchant Experience
- Frequently Asked Questions
- Video Tutorial
Overview
Customer Token Vault empowers merchants to securely generate network tokens within the NMI gateway, replacing sensitive card data with dynamic, secure identifiers issued by card networks. Network tokens enhance transaction security, improve approval rates, reduce fraud, and minimize chargebacks, creating a safer and more efficient payment environment. With automatic updates to card details and reduced operational costs, the system streamlines payment processes and optimizes workflows, ensuring merchants maintain robust security and deliver seamless customer experiences.
Features and Benefits
- Enhanced Security: By utilizing tokens instead of primary account numbers (PAN), your merchants’ transactions are shielded against potential breaches, ensuring a safer payment environment and reducing the need for PCI compliance.
- Reduced Costs: Experience lower interchange fees, fewer declines, and minimized chargebacks. For businesses processing high volumes of transactions, even slight reductions in costs can lead to substantial financial savings.
- Seamless Automatic Updates: Automatic updates of card details by the issuing networks mean that the card information on file is always current, reducing declines due to outdated or incorrect card details and thereby improving authorization rates for your merchants.
- Increased Approvals and Reduced Fraud: Decrease fraud rates by 28% and boost approval rates by 4.6%, enhancing overall revenue and reducing fraud-related expenses.
- Minimize Chargebacks: When combined with advanced fraud prevention technologies like EMV 3DS, Customer Vault and Advanced Fraud Prevention powered by Kount, network tokenization also shifts liability for chargebacks, further securing their transactions and reducing the incidence of false declines.
Requirements:
- ONE platform
- Enable Customer Token Vault in the Marketplace Apps
-
Processor integrations must support network tokens.
Supported Processors
Customer Token Vault is only available for merchants using:
- EPX
- FACe - Worldpay Core
- First Data Omaha
- NMI Payments
- TSYS
- Worldpay Core / Vantiv
Please check the Processor Matrix under "Network Tokenization" for the most up to date list.
If your merchant has a different default processor enabled, they will need to manually select a supported processor from the processor drop-down menu to ensure that a token can be generated.
How do network tokens work?
Visa Tokenization
Visa Token Service (VTS) replaces sensitive card information, such as the primary account number (PAN), with a unique digital identifier called a token. This token can be used for transactions instead of the actual card details. The VTS platform ensures that the token can only be used in a specific domain (e.g., a particular merchant or device), enhancing security. When a transaction is made, the merchant submits the token instead of the PAN. Visa maps the token back to the original card details and processes the transaction as usual. Tokens can be updated automatically if the card details change, such as when a card is reissued, ensuring seamless continuity for recurring transactions.
Mastercard Tokenization
Mastercard Digital Enablement Service (MDES) provides a similar tokenization process. It replaces the PAN with a unique token that can be used in place of the card number in transactions. MDES tokens are limited to specific domains, ensuring they can only be used by authorized merchants or devices. During a transaction, the merchant submits the token, and Mastercard maps it back to the original card details for processing. MDES also supports automatic updates of tokens when card details change, minimizing disruptions for cardholders and merchants.
Partner Experience
Offering Customer Token Vault to Merchants
To enable Customer Token Vault, you will need to set Customer Token Vault as "Offered" for your merchant. Log in to your Partner Portal and head over to List Accounts → scroll to the merchant's name from the list or search their name in the search box → click on their name → scroll down to the Value-added Services section → click Update Services → set Customer Token Vault to "Offered" → scroll to the bottom of the page and click Submit.
Once offered, your merchant can log in to their Merchant Portal, enable the service and walk through the application process below in the Enabling Customer Token Vault on a Merchant Account section below.
Activating Customer Token Vault for Merchants
If you have your merchant’s Business ID (e.g. EIN) , DBA Name, and Legal Name available, you can complete the onboarding process for your merchant in your Partner Portal.
First, make sure your merchant is using a supported processor, then Customer Token Vault will be displayed as an option to Sign Up for under Value Added Services on the merchant page in your Partner Portal.
Once you click, Sign Up, you will be directed to the merchant's Customer Token Vault application below where you can fill in the appropriate information for your merchant.
Merchant Experience
Enabling Customer Token Vault from the Merchant Portal
Once offered by their partner, merchants can enable Customer Token Vault directly from the Marketplace Apps through their Merchant Portal.
- Click on Marketplace Apps → Customer Token Vault → Enable
- The Customer Token Vault Application page will show up with the New Fee Schedule Summary where the merchant can click Continue after reviewing the fees and adding any additional services they wish to enable.
-
Most of the merchant's information will be auto-populated under the Application Information section. The merchant will need to enter information about their business to assist with onboarding their Visa and Mastercard brands.
- Once the merchant reviews their information, then can Submit their application.
- The merchant is all set and will see an onboarding confirmation message. They can then adjust the configuration for Customer Token Vault in their portal.
Visa onboarding is nearly instant, but for Mastercard it can take up to 72 hours to onboard (activate) tokens on a merchant account. Partners can check their onboarding status in their Partner Portal under the specific merchant's page. Merchants can check their onboarding status in the Customer Token Vault Configuration section of their Merchant Portal.
Customer Token Vault Configuration
By default, Customer Token Vault is configured to tokenize all Customer Vault, Recurring, and Subscription transactions. To turn on or off certain transaction sources, your merchant will need to go to the Customer Token Vault settings page in Options → Settings → Customer Token Vault (under the "Transaction Settings" section).
Merchants can tokenize transactions through the:
- Virtual Terminal
- Transaction API
- Customer Vault
- Recurring / Subscriptions
- Other (which includes Batch Upload, Collect Checkout, Shopify, QuickClick, SwIPe, QuickBooks, and Authvia)
Frequently Asked Questions
What are network tokens?
Network tokens are unique identifiers generated by card networks to replace sensitive card information like the primary account number (PAN).
How do network tokens work?
Network tokens replace actual card details with a token unique to the card, merchant, and device. This process helps protect the card information during transactions. The token is sent instead of the actual card number, and the card network maps it back to the original card details.
What are the benefits of network tokens?
Enhanced security, reduced costs, seamless updates, increased approvals, and reduced fraud.
Are network tokens different from other types of tokens like NMI Gateway tokens in Customer Vault?
Yes, network tokens are specifically issued and managed by card networks and are different from proprietary tokens generated by payment gateways like NMI. Network tokens are designed to be universally accepted across all merchants and platforms that support them.
Can network tokens be reused for multiple transactions?
Yes, network tokens can be used for multiple transactions and are typically designed for recurring payments, subscriptions, or card-on-file scenarios. This ensures that merchants can process future transactions securely without needing to store actual card details.
Can Network Tokens be used across different credit card processors within the same Gateway?
Yes, tokens will automatically work across all processors (certified for network tokenization) under the same merchant account. The card is tokenized only once, and the same token is used seamlessly for all eligible processors. For example, if an initial transaction occurs on Processor A and subsequent recurring transactions are routed to Processor B, the token remains valid and routing will still work.
What happens if the credit card processor initially tied to the token is closed? Can the token still be used with other processors?
Yes, the token will continue to exist and can still be used with any other eligible credit card processors under the same merchant account within the NMI Gateway.
Can Network Tokens be used across different gateways or transferred to other NMI reseller accounts?
No, network tokens cannot be imported or exported for use with other gateways. Tokens are exclusive to the NMI Gateway and will not work across different NMI accounts, including those managed under separate resellers.
How do network tokens affect transaction fees?
Using network tokens may enhance transaction fees charged by the card networks. However, it can lead to indirect cost savings by reducing fraud-related losses and potentially improving authorization rates.
How do network tokens improve the customer experience?
Network tokens allow for a smoother and more secure checkout process, particularly for recurring payments and subscriptions. Customers do not need to re-enter their card details, and the enhanced security measures provide greater peace of mind.
What happens if a token is compromised?
If a network token is compromised, the card network can easily deactivate it and issue a new token without needing to change the actual card details, simplifying the management of potential security breaches. The cryptogram plays a crucial role in this process. Even if a token (which resembles a credit card number) is compromised, the cryptogram ensures that the transaction fails if someone tries to use the token with any other merchant. Think of the token as a treasure chest containing the card number, and the cryptogram as the unique key that unlocks it.
How do I start using the Customer Token Vault?
To start using Customer Token Vault, you need to determine if your merchant’s processor supports card network tokenization, set the Customer Token Vault Extension to Offered in the Partner Portal for your merchants, then either enable Customer Token Vault for your merchants or have them enable it in their Merchant Portal.
How do partners enable network tokens for their merchants?
Network Tokens are available on supported processors using Customer Token Vault. Partners can enable the Customer Token Vault, which is an extension in the Marketplace Apps (Value Added Services).
My merchant uses the Customer Vault, how can they upgrade to Customer Token Vault?
Partners can upgrade a merchant to Customer Token Vault under the merchant's Value Added Services. Merchants can upgrade to Customer Token Vault in their Marketplace Apps.
Why do I see both “Customer Vault” and “Customer Token Vault” on my Invoice?
When you upgrade to Customer Token Vault, we still bill you for any activity that occurred under your original Customer Vault setup before the upgrade. That’s why you’ll see both “Customer Vault” and “Customer Token Vault” listed on your invoice. The Customer Vault line covers actions taken before the switch, while Customer Token Vault covers activity after the upgrade. This will only be observed in the first invoice cycle after the upgrade.
Why should I continue to use Automatic Card Updater?
Because network tokens aren't supported by all processors, in all regions, or on all networks. In these cases, combining Customer Token Vault and ACU will ensure that credit card information is always up to date on every processor, region, and all networks.
Which NMI platform supports Customer Token Vault?
The ONE platform.
Which processors support Network Tokens?
EPX, FACe - Worldpay Core, First Data Omaha, NMI Payments, TSYS, and Worldpay Core / Vantiv
Please check the Processor Matrix under "Network Tokenization" for the most up to date list.
Are there regional exclusions?
Network Token service can be delivered globally with the exception of the following countries:
-
Russian Federation
-
Burma (Myanmar)
-
Iran
-
Sudan
-
Syria
-
North Korea
This list of non-supported countries can be updated time to time as it is dependent on the payment scheme support and vendor policies.
Can Customer Token Vault be mass enabled for merchants?
Currently, no, it cannot be mass enabled for merchants. A merchant will need to be onboarded individually because of the custom sign-up data required.