Network Tokenisation
What is Network Tokenization?
Network tokenization is the process of replacing sensitive card details (like PAN) with a unique, merchant-specific token issued and managed by card networks (Visa, Mastercard, etc.). These tokens can be safely used in transactions and stored without increasing PCI scope.
As more issuers and networks prioritize token-first infrastructure, network tokenization is rapidly becoming the standard for secure and high-converting card payments globally.
A network token is scoped to a Merchant, Customer & Token Requestor ensuring a more secure payment experience. Every entity to the left of Network will transact using a token and the entities to the right will have card details. Each token is also unique to the Network provider.
Key Advantages for Merchants:
- Reduced Security Vulnerability: By using network tokens instead of sensitive card information, you minimize the impact of data breaches, as the network token is specific to a merchant and is of no use to malicious actors. This helps you maintain customer trust and avoid the financial and reputational damage associated with security incidents.
- Up-to-date Cardholder Information: Tokenization automatically updates cardholder information if the card is lost, expired, or reissued. This ensures uninterrupted recurring payments, increasing customer retention and reducing payment disruptions.
- Improved Authorization Rates: Transactions using network tokens are considered more authentic by networks due to richer metadata. This leads to fewer declines and significantly improves your authorization rates by up to 3-5%
- Reduced Fraud: Network tokens are less prone to frauds and have been shown to reduce fraud by up to 26%, which means fewer chargebacks and losses for your business, ultimately improving your bottom line.
- Simplified Compliance: With tokenization, your business doesn't need to store sensitive card data, reducing the scope and cost of compliance efforts.
- Reduced Interchange costs: Networks in certain geographies provide interchange cost savings to merchants up to 10bps in case of using network tokenization
Supported Networks via OrchestratorX
Currently supported: Visa, Mastercard, American Express
(Additional networks may be added based on merchant needs and network readiness.)
OrchestratorX as Token Requestor / Token Service Provider
OrchestratorX is certified as both a Token Requestor (TR) and Token Service Provider (TSP). This means:
- As a Token Requestor, we initiate token provisioning with card networks on your behalf.
- As a TSP, we securely manage token lifecycle events: provisioning, detokenization, refresh, suspension, and deletion.
OrchestratorX's tokenization suite is capable of handling the complete token lifecycle management. We've issued more than 150 million network tokens globally.
By leveraging OrchestratorX's infrastructure through OrchestratorX, you get seamless access to tokenization features without having to integrate with each network independently or worry about certifications.
Bring your own Token Requestor credentials
We also offer you the flexibility to bring your own Token Requestor credentials and configure them within our system so that all network tokenization requests are made using your own credentials. This could ensure better control, compliance alignment, and consistency across your systems.
OrchestratorX: Network Tokenization Support Modes
OrchestratorX supports three distinct Network Tokenization flows, depending on how you're integrated:
1. Network Tokenization during Payments (via OrchestratorX Orchestration)
When you process payments using OrchestratorX's orchestration layer, you can perform tokenized payments directly - OrchestratorX handles provisioning and using the network token dynamically at payment time. We also take care of optimizing authorization rates and latency by switching between network tokens and clear PAN.
2. Network Tokenization during Vaulting (via OrchestratorX Vault service)
You can network tokenize cards at the time of storage in OrchestratorX's Vault service. These network tokens can later be used for recurring payments, subscriptions, or one-click checkouts in combination with NTID or cryptogram.
3. Standalone Network Tokenization API Service
Use OrchestratorX's standalone Network Tokenization API service to provision, manage, or detokenize network tokens - without using OrchestratorX's payment orchestration or vault services.
1. Network Tokenization during Payments (via OrchestratorX Orchestration)
No changes required to your PSP integrations — OrchestratorX handles the token lifecycle, retries, and PAN fallback automatically.
In this flow:
- OrchestratorX dynamically provisions a network token at the time of payment.
- The network token is used in real-time to complete the transaction.
- If a payment fails when using Network token due to Network token specific errors, OrchestratorX silently retries the payment using Clear PAN + CVW/NTI to optimize for higher authorization rates
- OrchestratorX also optimizes for latency by falling back to Clear PAN + CVW/NTI
Flow Summary:
%%{init: {
"theme": "base",
"themeVariables": {
"primaryColor": "#ffffff",
"primaryBorderColor": "#2563EB",
"lineColor": "#2563EB",
"secondaryColor": "#EFF6FF",
"tertiaryColor": "#DBEAFE",
"fontFamily": "Inter, system-ui, sans-serif",
"fontSize": "14px",
"textColor": "#000000",
"actorBkg": "#346DDB",
"actorBorder": "#999999",
"actorTextColor": "#ffffff",
"signalColor": "#000000",
"signalTextColor": "#696969",
"labelBoxBkgColor": "#346DDB",
"labelBoxBorderColor": "#2563EB",
"loopTextColor": "#000080"
}
}}%%
sequenceDiagram
participant MS as Merchant Server
participant UI as OrchestratorX UI/Checkout
participant HS as OrchestratorX Server
participant HV as OrchestratorX Vault
participant CN as Card Network
participant PSP as PSP
rect rgb(240, 240, 240)
Note over MS,PSP: Setup
Note over MS,HS: Enable NT on orchestration account
Note over MS,HS: Choose OrchestratorX TR ID or bring your own
end
rect rgb(240, 240, 240)
Note over MS,PSP: During Checkout
Note over UI: End user enters card details
UI->>HS: Submit card details
HS->>CN: Request network token
CN-->>HS: Return token + cryptogram (if eligible)
alt Tokenization successful
HS->>PSP: Send network token + cryptogram
PSP-->>HS: success_response
else Tokenization failed / Payments using Tokenization failed
HS->>PSP: Send clear PAN + CVV
end
alt Card to be stored
HS->>HV: Store network token (and optionally PAN)
HS-->>UI: Return token (optional)
end
end
- You enable Network tokenization on your OrchestratorX orchestration merchant account by reaching out to our support team.
- You can either bring your own TRID or use OrchestratorX's TRID to request network tokens
- The end user enters their card details on your checkout
- OrchestratorX provisions a network token and cryptogram if the card is eligible for tokenization
- If tokenization succeeds, OrchestratorX passes the network token + cryptogram to the PSPs for payments processing
- If tokenization fails, OrchestratorX uses clear PAN + CVV to process payments through the PSPs
- If the end user had agreed to store the card, the Network token is stored in OrchestratorX vault and optionally, the token can be returned to the merchant for future use
How to Try:
Contact our support team to enable Network Tokenization on your merchant account and receive access. You can test tokenized payment flows in sandbox before going live.
2. Network Tokenization during Vaulting (via OrchestratorX Vault)
In this flow:
- You integrate with OrchestratorX's standalone Vault service.
- Card details are securely captured and stored alongside PSP tokens and network tokens
- These tokens can be used across multiple gateways via your own payments setup or OrchestratorX by retrieving them along with cryptogram every time you intend to make a payment
Flow Summary:
%%{init: {
"theme": "base",
"themeVariables": {
"primaryColor": "#ffffff",
"primaryBorderColor": "#2563EB",
"lineColor": "#2563EB",
"secondaryColor": "#EFF6FF",
"tertiaryColor": "#DBEAFE",
"fontFamily": "Inter, system-ui, sans-serif",
"fontSize": "14px",
"textColor": "#000000",
"actorBkg": "#346DDB",
"actorBorder": "#999999",
"actorTextColor": "#ffffff",
"signalColor": "#000000",
"signalTextColor": "#696969",
"labelBoxBkgColor": "#346DDB",
"labelBoxBorderColor": "#2563EB",
"loopTextColor": "#000080"
}
}}%%
sequenceDiagram
participant MS as Merchant Server
participant UI as OrchestratorX UI SDK
participant HV as OrchestratorX Vault Server
participant CN as Card Network
participant PSP as PSP
Note over MS,HV: Sign up for Standalone Vault
Note over MS,HV: Initiate payment method session with Network Tokenization request
alt Using UI SDK
Note over UI: End user enters card details
UI->>HV: Send card details securely
else Using Server API
MS->>HV: Send card details (S2S)
end
HV->>CN: Provision network token
CN-->>HV: Token + cryptogram
HV->>PSP: Tokenize with PSP
PSP-->>HV: Return PSP token + NTI (if any)
Note over HV: Store PAN + network tokens + PSP tokens
HV-->>MS: Return NT + cryptogram + PSP tokens + NTI
rect rgb(240, 240, 240)
Note over MS,PSP: Later usage
MS->>HV: /retrieve_payment_method
HV-->>MS: Return NT + cryptogram
MS->>PSP: Use NT + cryptogram or NTI to process payments
end
- Merchant signs up for OrchestratorX's standalone vault service and requests network tokenization in every payment method session create request
- Card details are captured from the end users via OrchestratorX's PCI-compliant UI SDK or merchant passes them using the Server to Server APIs.
- OrchestratorX provisions a network token and stores it securely along with the card details if the merchant chooses to vault clear PAN in OrchestratorX vault
- The network token along with PSP tokens and NTI (if returned by the PSP) is passed back to the merchant
- Token can be retrieved later by the merchant along with cryptogram using the Retrieve payment method endpoint
- Merchant can use the retrieved Network token + cryptogram or NTI to process payments later through their own payments system
How to Try?
Contact our support team to enable Network Tokenization on your merchant account and receive access. You can test tokenized payment flows in sandbox before going live. You can learn more and try out our Vault service here.
3. Standalone Network Tokenization Service (via OrchestratorX Tokenization service)
This is a lightweight, standalone integration when you:
- Already have your own PCI compliant vault or orchestration system but want to add Network Tokenization for better auth rates and lower costs
- You only want to use OrchestratorX to provision and manage network tokens
Flow Summary:
%%{init: {
"theme": "base",
"themeVariables": {
"primaryColor": "#ffffff",
"primaryBorderColor": "#2563EB",
"lineColor": "#2563EB",
"secondaryColor": "#EFF6FF",
"tertiaryColor": "#DBEAFE",
"fontFamily": "Inter, system-ui, sans-serif",
"fontSize": "14px",
"textColor": "#000000",
"actorBkg": "#346DDB",
"actorBorder": "#999999",
"actorTextColor": "#ffffff",
"signalColor": "#000000",
"signalTextColor": "#696969",
"labelBoxBkgColor": "#346DDB",
"labelBoxBorderColor": "#2563EB"
}
}}%%
sequenceDiagram
participant MS as Merchant Server
participant JS as OrchestratorX Server
participant CN as Card Network
participant PSP as PSP
Note over MS,JS: Sign up for Network Tokenization
Note over MS,JS: Choose to use OrchestratorX TR ID or own TR ID
rect rgb(240, 240, 240)
Note over MS,PSP: Token Lifecycle APIs
MS->>JS: /generate_token (PAN, expiry, etc.)
JS->>CN: Provision network token
CN-->>JS: Return network token + cryptogram
JS-->>MS: Return token + cryptogram
MS->>JS: /update_token or /delete_token
CN-->>JS: Webhooks to update token details
end
rect rgb(240, 240, 240)
Note over MS,PSP: Token Retrieval and Usage
MS->>JS: /retrieve_token (token_ref)
JS-->>MS: Return token + cryptogram
MS->>PSP: Use token + cryptogram to make payment
end
- You sign up for OrchestratorX's Network Tokenization service by reaching out to our support team
- You can either use OrchestratorX's TR ID or setup your own TR ID
- You use OrchestratorX's Tokenization APIs to:
- Generate Network Tokens for a given PAN
- Update or delete tokens
- Retrieve Network tokens and cryptogram to make payment through your own payments system
How to Try?
Contact our support to set up your credentials and get access to our Token Provisioning and Cryptogram APIs.