Part III: Cards: The Dominant Rail

Chapter 12 — Network Tokens, Vaults & Credentials

How tokenization keeps card numbers safe: FPANs, DPANs, MPANs, provisioning flows, lifecycle management, PAR, and PCI scoping.

When you tapped your card at WhiteBottle Coffee, something quietly brilliant happened behind that satisfying beep. Your real card number — the 16-digit Primary Account Number (PAN) printed on the front of your card — never actually touched WhiteBottle's system. Not their terminal. Not their database. Not their servers.

So what did?

A fake number. A stand-in. A decoy.

And that decoy is the reason your card stays safe.

Part A: The Problem with Plastic

Here's the thing about credit cards: every time you tap, swipe, or type your card details into a website, you're broadcasting your card number to yet another merchant's system. Every coffee shop, every online store, every subscription service — they all get a copy of your PAN.

Now imagine one of those systems gets hacked. Your card number is suddenly floating around the dark web, ready for anyone with bad intentions to use. And this isn't hypothetical — data breaches at major retailers have exposed hundreds of millions of card numbers over the years — the 2013 Target breach alone compromised roughly 40 million.

This is where tokenization comes in, and honestly, it's pretty clever.

Instead of your actual card number bouncing around the internet every time you buy something, modern payment systems swap it out for a token — a randomly generated stand-in number that represents your card but is completely useless on its own. Think of it like a hotel key card. It opens your room, but if someone steals it and tries it at a different hotel? Nothing. It's worthless.

Two Types of Tokens

Not all tokens are created equal. There are two main types you'll encounter in the payments world: network tokens and payment gateway tokens. They solve the same core problem — keeping your real card number hidden — but they work in very different ways.

Network Tokens

When you save your card to Apple Pay, Google Pay, or your favorite shopping app, something sneaky happens. The app doesn't store your actual card number. Instead, the card network — Visa, Mastercard, or whichever scheme the card runs on — generates a network token for that specific use.

That token is what travels through the payment system when you tap your phone at WhiteBottle. Behind the scenes, the card network quietly maps the token back to your actual account. But here's the brilliant part: the merchant never sees your real card number. Ever.

And network tokens come with a powerful bonus. When your card expires, or your bank issues you a replacement after a fraud scare, the network automatically updates the token. You don't have to lift a finger. Your subscriptions keep working. Your saved payment methods stay current. The network handles it all silently.

Here's something worth flagging early: network tokens actually come in two distinct flavors. There are device-scoped tokens (called DPANs) that live on your phone or watch and only work from that specific device. And there are merchant-scoped tokens (called MPANs) that are tied to a specific merchant for things like subscriptions and recurring billing. They behave very differently — and the distinction matters enormously for merchants deciding how to build their payment systems. We'll dig into the full FPAN/DPAN/MPAN taxonomy in Part B of this chapter.

Payment Gateway Tokens

When you save your card directly with a specific merchant or through a payment processor like Stripe or PayPal, they generate their own gateway token for that card. Unlike network tokens that are issued by the card schemes themselves, gateway tokens are created and managed by the payment processor.

They're simpler and cheaper to implement, which is why they're widespread. But they come with a trade-off: gateway tokens only work within that specific payment gateway's ecosystem. And they lack the automatic update magic of network tokens — when you get a new card, the gateway has to lean on slower account-updater services — and where those don't cover you, you're updating your payment info by hand.

If you've ever had a subscription fail after your bank sent you a replacement card, you've felt this limitation firsthand.

How They Compare

FeatureNetwork TokensPayment Gateway Tokens
Issued ByCard networks (Visa, Mastercard, etc.)Payment processors or gateways (Stripe, PayPal, etc.)
Where It's UsedApple Pay, Google Pay, saved cards in appsSaving your card with a specific merchant or processor
ScopeCan work across multiple merchants and platformsOnly works within that specific gateway's ecosystem
How It WorksCard network maps the token back to your real account behind the scenesThe gateway generates and stores a token mapped to your card internally
Security BenefitMerchant never sees your real card numberYour real card number is protected within that gateway's system
Automatic UpdatesYes — updates automatically when your card expires or is replacedNo — you must manually update your payment info
PortabilityPortable across processors — you can switch PSPs without losing tokensLocked to one gateway — switching processors means re-collecting card details
PCI Scope ImpactReduces PCI scope significantly, but tokens that can initiate transactions may still require controlsReduces scope within that gateway's environment, but the gateway itself remains in scope
ImplementationMore sophisticated, tied to card scheme infrastructureSimpler and cheaper to implement
Best ForWallet payments (Apple Pay, Google Pay), cross-platform stored credentials, subscription billingSingle-gateway merchants, quick integration, on-us transaction optimization

Why Stolen Tokens Are Worthless

Loading interactive…

Here's the part that makes tokenization genuinely elegant. Each token is domain-specific — meaning it's tied to a particular merchant, device, or app.

Let's say a hacker breaks into Amazon's database and steals millions of tokens. Those tokens are completely useless anywhere else. They can't take an Amazon token and use it at WhiteBottle, or at any other merchant. The token only works in the context it was created for. Outside that context, it's just a meaningless string of numbers.

This is fundamentally different from stealing actual card numbers. A stolen PAN can be used anywhere that accepts cards. A stolen token can be used nowhere except the system it was already bound to — and even there, additional security layers like device verification and cryptographic checks make fraudulent use extremely difficult.

So when you tapped at WhiteBottle, your real card number stayed locked away, known only to your bank and the card network. WhiteBottle's terminal, their acquiring processor, their entire system — none of them ever saw your actual PAN. They saw a token. And if someone ever compromised WhiteBottle's systems, that token would be worthless to any attacker.

That's how your card stays safe.


Part B: Under the Hood — FPANs, DPANs, MPANs, and the Deep Mechanics of Tokenization

That's the big picture of tokenization — and it's working quietly in the background every time you tap your card. But if you're building payment systems, integrating wallet payments, or architecting a subscription billing platform, the big picture isn't enough. You need to understand the machinery.

If you're a product manager, founder, or curious person who just wanted the intuition — Part A is genuinely enough. You can skip ahead to the next chapter. But if you're an engineer building a payment integration, a payments lead choosing between token strategies, or simply the kind of person who needs to know how the magic trick actually works — this is where it gets interesting.

Because here's what Part A didn't tell you: "network token" isn't one thing. It's actually two very different things, and confusing them will cost you months of integration headaches.

The Three PANs

Every card transaction ultimately involves a Primary Account Number — a PAN. But in a tokenized world, there are three distinct identifiers that can play the PAN role, and each one behaves differently depending on where it lives, who controls it, and what happens when something changes.

Let's meet them.

FPAN: The Real Card Number

The Funding PAN (FPAN) is the number embossed on your physical card — the 16-digit identifier that your issuing bank assigned to your account. It's the "real" number. When you type your card details into a checkout form the old-fashioned way, the FPAN is what travels through the payment chain.

Think of the FPAN like your Social Security number. It's the canonical identifier for your payment account. It works everywhere. And that's precisely the problem — if someone steals it, they can use it anywhere.

FPANs also have an annoying lifecycle quirk: when your bank reissues your card (new expiry date, fraud replacement, upgrade to a premium tier), the FPAN usually changes. Every subscription, every saved payment method, every card-on-file — they all need updating. This is why services like Visa Account Updater and Mastercard Automatic Billing Updater exist: to quietly propagate new FPANs to merchants who stored the old one. But it's a Band-Aid, not a cure.

DPAN: The Device Token

The Device PAN (DPAN) is a token that lives on a specific device — your iPhone, your Android phone, your Apple Watch. When you add a card to Apple Pay or Google Pay, the card network doesn't put your FPAN on the device. Instead, it issues a DPAN: a unique token that represents your card but is cryptographically bound to that specific device's Secure Element — a tamper-resistant chip designed to store secrets.

Think of a DPAN like a hotel key card that only works at one hotel, on one floor, for one room. Take it to a different hotel? Useless. Lose the key card? The hotel (the network) can deactivate it instantly without affecting your actual room reservation (your FPAN).

DPANs come paired with cryptographic keys that generate a unique cryptogram for every transaction. This means even if someone intercepted a DPAN mid-transaction, they couldn't replay it — the cryptogram would be stale. It's one-time-use security on top of device binding.

The trade-off? DPANs are tied to the device lifecycle. Lose your phone, and the DPAN is suspended. Get a new phone, and you re-provision a new DPAN (the old one is deleted). The DPAN doesn't survive device changes — it was never meant to.

MPAN: The Merchant Token

The Merchant PAN (MPAN) is a token scoped to a specific merchant. When a subscription service like Netflix or a card-on-file merchant like Amazon requests a network token for your card, the network issues an MPAN — a token that only works for that merchant, for that use case.

If the DPAN is a hotel key card, the MPAN is more like a gym membership card. It identifies you at that one gym. It doesn't work at any other gym. But unlike the hotel key card, it doesn't care which door you walk in from — you can use it whether you're on your phone, your laptop, or even if you've lost your phone entirely. The MPAN is tied to the merchant, not the device.

And here's the killer feature: MPANs survive card reissues. When your bank sends you a replacement card with a new FPAN, the card network automatically updates the MPAN's underlying mapping. Your subscriptions keep working. No account updater service needed. No failed recurring charges. The network just handles it.

This is why MPANs are increasingly the gold standard for subscription billing and card-on-file storage.

How They Compare

AttributeFPANDPANMPAN
What it isThe "real" card number (Primary Account Number)Device-scoped payment token (replaces FPAN on-device)Merchant-scoped payment token (for recurring and stored credentials)
ScopeGlobal — usable anywhereBound to a specific device or walletBound to a specific merchant
Typical useManual card entry, legacy stored cardsApple Pay, Google Pay — tap and in-app paymentsSubscriptions, recurring billing, card-on-file
PersistenceChanges on reissue (unless account updater kicks in)Tied to device lifecycle — lost phone means suspended tokenSurvives device changes and card reissues
SecurityHighest breach value — the PCI scope driverDevice-bound + per-transaction cryptogramMerchant-bound — useless to any other merchant
Auto-update on reissue?No (requires account updater service)Managed by token lifecycle eventsYes — the network updates the mapping automatically

Provisioning Flows: How Tokens Enter the Ecosystem

Tokens don't just appear. Each type has a distinct provisioning flow — a specific sequence of steps that creates the token, registers it with the network, and delivers it to where it needs to live. Let's walk through each one.

Flow 1: FPAN — Classic eCommerce Authorization

This is the baseline — the world without tokenization. When you type your card number into WhiteBottle's online ordering page, here's what happens:

Notice what's happening: the FPAN travels the entire chain. Every system in that diagram sees your real card number. The merchant's server, the payment processor, the acquirer — they all handle the FPAN. This is exactly why PCI DSS compliance is so demanding for merchants who process raw card numbers. Every system that touches the FPAN is in scope.

Flow 2: DPAN — Provisioning a Card into a Wallet

When you add your card to Apple Pay, a completely different flow kicks in. The goal: get a DPAN onto your device's Secure Element without the FPAN ever living on the device.

The key moment: the Token Service Provider (TSP) — operated by Visa, Mastercard, or another network — generates a DPAN and pairs it with cryptographic keys. These are injected into the device's Secure Element. From this point forward, your phone never knows your FPAN. It only has the DPAN and the keys to sign transactions.

The issuing bank also gets a say — they perform Identification and Verification (ID&V), which might mean sending you a text message, prompting in-app authentication, or calling you. This step ensures that the person provisioning the card is actually the cardholder.

Flow 3: DPAN — Contactless Payment Authorization

Now you're standing at WhiteBottle's counter, phone in hand. You tap. Here's what happens in that split second:

Something remarkable just happened. The merchant's POS terminal received a DPAN — not the FPAN. The acquirer saw a DPAN. It wasn't until the transaction reached the card network that the TSP de-tokenized the DPAN back to the real FPAN so the issuing bank could authorize against the actual account. And the response that came back to the merchant? Re-tokenized. The FPAN never leaked outside the network-to-issuer segment.

The cryptogram is the cherry on top. Even if someone intercepted the NFC transmission and captured the DPAN, they couldn't reuse it — the cryptogram is a one-time signature that the TSP validates. Replay attacks are dead on arrival.

Flow 4: MPAN — Provisioning a Card-on-File

Now let's say WhiteBottle launches a coffee subscription. You sign up and save your card. Behind the scenes, WhiteBottle's payment processor requests a network token for recurring billing:

The critical difference from DPAN provisioning: there's no Secure Element involved. The MPAN is a logical token stored in the merchant's (or their PSP's) vault. It's scoped to WhiteBottle's merchant ID — meaning if that MPAN were stolen and presented by a different merchant, the network would reject it.

Also notice: after this flow completes, WhiteBottle stores the MPAN, not the FPAN. The real card number was used only during the initial tokenization request and then discarded. WhiteBottle's PCI scope just got a lot smaller.

Flow 5: MPAN — Recurring Authorization

A month later, WhiteBottle's billing system charges your subscription. You're not even online — this is an off-session, merchant-initiated transaction:

The flow looks similar to the DPAN transaction, but there's no fresh cryptogram — a merchant-initiated MPAN charge can't generate the per-transaction signature a device does (customer-present MPAN transactions do carry a one-time cryptogram, but the customer isn't here). Instead, security comes from domain controls: the TSP verifies that the merchant presenting the MPAN matches the merchant the token was originally scoped to. Wrong merchant? Transaction rejected.

There's another subtle but powerful difference. If your bank reissued your card last week — new number, new expiry — this transaction still works. The TSP updated the FPAN mapping behind the scenes when the reissue happened. WhiteBottle's billing system didn't need to know, didn't need to re-collect your card, and didn't experience a failed charge. The MPAN is stable even when the underlying FPAN changes.

This is the superpower of merchant-scoped network tokens, and it's why failed recurring payments due to card reissues — one of the biggest drivers of involuntary churn for subscription merchants — are becoming a thing of the past.

Token Lifecycle: What Happens When Life Happens

Tokens aren't permanent. They're living, breathing identifiers that respond to real-world events — a lost phone, a reissued card, a cancelled subscription. Understanding the token lifecycle is essential for anyone building a system that stores or processes tokens, because each lifecycle event has a direct impact on whether your next transaction will succeed or fail.

The Five Lifecycle States

Every token — whether DPAN or MPAN — moves through a set of well-defined states. The card network and its Token Service Provider manage these transitions, but merchants feel the consequences.

StateTriggerExampleWhat Happens to Transactions
ActiveSuccessful provisioningCard added to Apple Pay; MPAN issued to NetflixTransactions process normally
SuspendedDevice reported lost or stolen; issuer risk flagYou mark your iPhone as lost in Find MyTransactions are silently declined — no error message explains why
ResumedDevice recovered; risk flag clearedYou find your iPhone and re-authenticateTransactions start working again — the token is reactivated
ReplacedCard reissued by the bank (new FPAN or expiry)Your bank sends a replacement card after a fraud alertThe TSP updates the token's underlying FPAN mapping; transactions continue
DeletedUser removes card from wallet or merchant; account closedYou delete your card from Apple Pay or cancel your Netflix subscriptionToken is permanently deactivated — any future transaction attempts are declined

How Lifecycle Events Differ by Token Type

Here's where it gets nuanced. The same real-world event — say, your bank reissuing your card — plays out very differently for DPANs and MPANs.

Lost or Stolen Device

For DPANs, this is the scenario they were designed for. When you report a device as lost through Find My iPhone or Android Device Manager, the issuing bank (or the device manufacturer) notifies the card network, which suspends all DPANs on that device. Any tap-to-pay attempt with that device will silently fail. If you find the device and re-authenticate, the DPANs are resumed. If you wipe the device remotely, the DPANs are deleted.

For MPANs, a lost phone has zero impact. The MPAN lives in the merchant's vault (or their PSP's vault), not on the device. Your Netflix subscription keeps charging. Your Amazon card-on-file keeps working. The MPAN doesn't know or care about your phone.

This is one of the key architectural differences between the two token types, and it's why they serve different use cases.

Card Reissue

When your bank issues a new card — new number, new expiry, maybe even a new design — the lifecycle diverges again.

For MPANs, card reissue is almost invisible. The card network's TSP detects the reissue event and updates the MPAN's underlying FPAN mapping. The merchant never knows it happened. Their stored MPAN still works. The next recurring charge goes through as if nothing changed. This is the single biggest reason merchants adopt network tokens for subscription billing — it eliminates the cascade of failed charges that traditionally follows a mass card reissue.

For DPANs, the picture is more complex. If you still have the same device, the TSP typically updates the DPAN's metadata (new expiry date, for example) without requiring re-provisioning. But if you got a new device as part of the reissue event — say, your wallet was stolen along with your phone — you'll need to re-provision the card on the new device, creating a fresh DPAN.

Merchant-Initiated Deletion

When a customer cancels a subscription or removes a saved card, the merchant (or their PSP) should notify the network to delete the associated MPAN. This is good hygiene — it prevents the token from being used after the customer relationship ends, and it's increasingly expected as part of PCI best practices.

For DPANs, deletion is typically cardholder-initiated: you remove the card from your wallet app, and the device notifies the network.

The Silent Failure Problem

Here's a practical gotcha that catches many merchants off guard: when a token is suspended, transactions don't fail with a helpful error code that says "token suspended." They fail with a generic decline. The merchant's retry logic might kick in, attempting the charge again and again, never knowing that the token itself is the problem.

Sophisticated payment platforms handle this by monitoring for specific decline reason codes that hint at token issues and surfacing them to the merchant. But it's an area where the industry still has rough edges.

PAR: The Reconciliation Glue

So now you've got a customer with a DPAN on their iPhone, a DPAN on their Apple Watch, an MPAN at Netflix, another MPAN at Spotify, and maybe a legacy FPAN stored at an older merchant that hasn't adopted network tokens yet. Five different identifiers, all pointing to the same underlying payment account.

How do you know they're all the same customer?

Enter the Payment Account Reference — or PAR.

What PAR Is (and What It Isn't)

PAR is a 29-character alphanumeric identifier assigned by the card network that links all tokens and FPANs associated with a single cardholder account. It's the connective tissue of the tokenized ecosystem.

But here's what makes PAR clever: you can't use it to buy anything. PAR is explicitly non-financial and non-transactable. It can't be submitted in an authorization message. It can't initiate a payment. It exists purely for reconciliation, analytics, and customer identification.

Think of PAR like a loyalty program ID. It tells you that the person who tapped their iPhone at your store this morning is the same person who used their Apple Watch yesterday and who subscribes to your monthly plan. But the loyalty ID itself can't charge anyone — it just connects the dots.

How PAR Links Everything Together

Here's the diagram that makes it click:

One PAR, many tokens. And crucially, the PAR survives card reissues. When your bank sends you a new card with a new FPAN, the PAR stays the same. This means you can track a customer's transaction history across card replacements, device changes, and merchant tokens — all through a single stable identifier.

Where PAR Shows Up

PAR is returned in authorization responses and is available through network APIs. In practice, merchants and their PSPs receive the PAR alongside the token or FPAN in the transaction response. Visa, Mastercard, and other networks include PAR in their token response payloads.

But PAR adoption is still uneven. Not all issuers provide PAR values for every token. Not all PSPs surface PAR to their merchants. And some legacy systems simply don't have a field for it. The trajectory is clear — PAR is becoming standard — but you may encounter gaps in the short term.

What Merchants Can Do with PAR

PAR unlocks several capabilities that are hard or impossible without it:

Loyalty and rewards. When a customer pays with different tokens across channels (phone in-store, card online, watch at the drive-through), PAR lets you recognize them as the same customer and attribute the purchases to one loyalty account.

Fraud analytics. PAR lets you build a transaction history for a customer account even when individual tokens change. If a customer's DPAN was suspended and re-provisioned, PAR connects the old and new transaction streams.

CRM joins. For businesses that merge payment data with CRM systems, PAR provides a stable join key. You can link payment behavior to customer profiles without relying on the FPAN (which changes on reissue) or individual tokens (which are scoped and ephemeral).

Regulatory compliance. Some jurisdictions require merchants to identify and track customers across payment methods for anti-money-laundering purposes. PAR provides a network-endorsed way to do this without storing sensitive card data.

PAR's Limitations

PAR isn't a silver bullet. A few things to keep in mind:

  • PAR is account-level, not card-level. If a customer has two different cards from the same issuer (a personal Visa and a business Visa), they may have different PARs — or in some cases, the same PAR. The behavior varies by network and issuer.
  • PAR is not available for all card types. Prepaid cards, some co-branded cards, and cards from smaller issuers may not have PAR values assigned.
  • PAR should be treated as sensitive data. While it can't initiate a transaction, it can be used to correlate a customer's activity across merchants. Treat it with appropriate data handling controls.

PCI Scoping: Tokens Don't Automatically Get You Off the Hook

If you've been reading this chapter thinking "great, we'll tokenize everything and PCI compliance becomes a non-issue" — slow down. Tokenization dramatically reduces PCI scope, but it doesn't eliminate it. And the nuance matters, because getting this wrong can mean a nasty surprise during your next audit.

The CDE Still Exists Somewhere

PCI DSS defines a Cardholder Data Environment (CDE) as any system component that stores, processes, or transmits cardholder data. When you tokenize, you're moving the CDE — not destroying it.

The token vaults, the Token Service Providers, the systems that perform the initial tokenization (converting FPAN to DPAN or MPAN) — these are all CDE components. They handle raw cardholder data. They must be PCI DSS compliant. The question is who operates them and whether your systems are in or out of scope.

For most merchants using network tokens, the CDE lives at the card network's TSP (Visa Token Service, Mastercard Digital Enablement Service, etc.) and at your PSP. Your systems only see tokens. That's a significant scope reduction — but it's not zero.

Tokens as Payment Instruments

Here's the subtlety that catches people: DPANs and MPANs aren't just random stand-in numbers. They can initiate real transactions. An MPAN submitted with the right merchant credentials will authorize a charge against the underlying account. A DPAN paired with a valid cryptogram will process a payment.

The PCI Security Standards Council draws a distinction between acquiring tokens (used only for post-authorization reference, like a transaction ID) and payment tokens (which can initiate new transactions). DPANs and MPANs are payment tokens. And payment tokens, while not equivalent to FPANs in risk, still require appropriate security controls.

What does that mean in practice? If your system stores MPANs for recurring billing, you need to protect those tokens with access controls, encryption at rest, and audit logging. You probably don't need the full SAQ D questionnaire that you'd face if you stored raw FPANs — but you can't just toss MPANs into an unencrypted database and call it a day.

PCI DSS v4.0.1: What Changed

PCI DSS v4.0 introduced several future-dated requirements that became effective in March 2025 (v4.0.1, the current revision, carried them forward unchanged). The ones most relevant to tokenization:

  • Targeted risk analysis for any customized security approach — if you're arguing that your token storage is out of scope, you need documented analysis backing that claim.
  • Enhanced cryptographic requirements — stronger key management standards that affect token vaults and HSMs.
  • Automated mechanism requirements for detecting and alerting on unauthorized changes to payment page scripts — relevant if you're doing client-side tokenization (like Stripe Elements or Braintree Hosted Fields).

The bottom line: don't make scoping assumptions on your own. Work with your Qualified Security Assessor (QSA) and your acquirer to validate exactly what's in and out of scope for your specific token architecture.

The Practical Scoping Checklist

When evaluating your PCI scope with tokenization, ask these questions:

  1. Does your system ever see the FPAN? Even briefly during initial tokenization? If yes, that system is in CDE scope.
  2. Do you store tokens that can initiate transactions? MPANs and gateway tokens that can charge a customer need security controls.
  3. Who operates the token vault? If it's your PSP, their PCI attestation covers the vault — but you need to verify they're compliant and that your integration doesn't inadvertently bring the FPAN into your environment.
  4. Are you doing client-side tokenization? If the customer's browser sends card data to a PSP's JavaScript library that returns a token, your server never sees the FPAN. But PCI DSS v4.0.1 requires you to monitor those client-side scripts for tampering.

Choosing Your Token Strategy: A Merchant Decision Framework

So you understand the token types, the lifecycle, the PCI implications. Now the practical question: which token strategy should you use?

The honest answer is that most merchants will use a combination. But here's a framework to guide the decision:

Your ScenarioRecommended StrategyWhy
Retail store adding Apple Pay and Google PayDPAN (comes automatically with wallet acceptance)You don't need to do anything — the wallet handles provisioning. You get per-transaction cryptograms and reduced PCI scope as a bonus.
Subscription service with recurring billingMPAN (network token for card-on-file)MPANs survive card reissues automatically. No more failed subscription charges when customers get new cards. Reduces involuntary churn.
Marketplace or platform migrating between payment processorsNetwork tokens (MPAN) — avoid proprietary gateway tokensMPANs are portable across PSPs because they're issued by the card network, not the gateway. Switching processors doesn't mean re-collecting every customer's card.
Low-volume merchant, simple checkout, single PSPGateway/PSP tokens — simpler and cheaperIf you're not planning to switch processors and don't have recurring billing, gateway tokens give you tokenization benefits with less integration complexity. Accept the portability trade-off.
Omnichannel retailer (online + in-store + app)MPAN + DPAN combination with PAR for reconciliationDPANs handle in-store tap payments. MPANs handle online card-on-file. PAR connects the customer across both channels for unified loyalty and analytics.
Enterprise with multi-acquirer setupNetwork tokens (MPAN) across all acquirersNetwork tokens work regardless of which acquirer routes the transaction. This gives you routing flexibility without token portability concerns.

A few things this table can't capture:

Cost. Network tokens typically don't have per-token fees from the networks themselves, but your PSP may charge for token management features. Gateway tokens are usually included in your PSP's standard pricing. Do the math for your volume.

Issuer support. Not all issuers support MPAN provisioning for all card types. In some markets, requesting an MPAN may silently fall back to a DPAN or fail entirely. Your PSP should be able to tell you their token approval rates by issuer.

Interchange benefits. Some networks offer reduced interchange rates for transactions using network tokens, because tokenized transactions have lower fraud rates. At scale, this can offset any integration costs and then some.

WhiteBottle Coffee: Three Scenarios That Tie It All Together

Let's return to WhiteBottle Coffee — the small chain we've been following since Part A. They've grown. They have 15 locations, a mobile app, and an online store. Their payments lead, Maria, is making token strategy decisions. Here's how it plays out.

Scenario A: WhiteBottle Enables Apple Pay

Maria's first move is simple: accept Apple Pay and Google Pay at the counter. She works with her payment terminal provider to enable NFC contactless payments.

From a token perspective, Maria doesn't have to do anything about DPANs. When a customer taps their iPhone, the DPAN was already provisioned onto their device when they added their card to Apple Pay. The DPAN flows through WhiteBottle's terminal to their acquirer, gets de-tokenized at the network, and the issuer authorizes against the FPAN. WhiteBottle's terminal never sees the real card number.

The result: WhiteBottle's PCI scope for in-store payments just got smaller. Their terminals handle DPANs and cryptograms instead of raw FPANs. And customers get faster checkout — Face ID plus a tap is quicker than dipping a chip card and waiting for the terminal.

Token type in play: DPAN (device-scoped, comes "for free" with wallet acceptance)

Scenario B: WhiteBottle Launches a Coffee Subscription

Business is good. Maria launches "WhiteBottle Monthly" — a $29.99/month subscription that ships a bag of beans to your door. Customers save their card during sign-up.

Maria's PSP (let's say it's Stripe) supports network tokenization. When a customer saves their card, Stripe requests an MPAN from the card network. The FPAN is used once for the tokenization request, and then Stripe stores only the MPAN. WhiteBottle's system never touches the FPAN at all.

Three months in, several customers get replacement cards from their banks. In the old world, those subscriptions would fail on the next billing cycle, and Maria's team would need to email customers asking them to update their payment info. With MPANs, the card network silently updates the token mapping. The billing runs. Every charge goes through.

Maria checks her metrics: involuntary churn from payment failures dropped 40% after the MPAN rollout.

Token type in play: MPAN (merchant-scoped, survives card reissues)

Scenario C: WhiteBottle Switches Payment Processors

A year later, WhiteBottle is processing enough volume that Maria finds a better deal with a different payment processor. She starts the migration.

Here's where Maria's earlier decisions pay off — or don't.

The in-store DPANs? No migration needed. DPANs are device-scoped and flow through whatever terminal and acquirer WhiteBottle uses. Switch processors, and taps keep working.

The subscription MPANs? Because they're network tokens issued by Visa and Mastercard (not by Stripe), Maria can migrate them to the new processor — though "portable" doesn't mean "effortless." Because the tokens belong to the network rather than to Stripe, her new PSP can be set up as a token requestor for the same cards, and billing continues without asking customers for anything.

But there's a catch. WhiteBottle's mobile app also had a "Pay in App" feature that used Stripe's proprietary gateway tokens for one-time orders. Those tokens don't port. They only work within Stripe's ecosystem. Maria needs to prompt every app customer to re-enter their card details so the new processor can create fresh tokens.

It's a headache. About 30% of app customers don't bother re-entering their cards, and WhiteBottle loses them. Maria makes a mental note: next time, use network tokens everywhere, not just for subscriptions.

Token types in play: MPAN (portable, migrated successfully), gateway tokens (not portable, caused customer loss)


Tokenization started as a simple idea: don't let merchants see real card numbers. But as we've seen, the reality is a rich ecosystem of token types, provisioning flows, lifecycle management, and strategic trade-offs. The key takeaways:

  • FPAN is the real card number — powerful but dangerous.
  • DPAN protects in-store and in-app payments with device binding and per-transaction cryptograms.
  • MPAN protects recurring billing and card-on-file with merchant scoping and automatic reissue updates.
  • PAR ties it all together for reconciliation and analytics.
  • PCI scope shrinks with tokenization, but doesn't vanish — validate your assumptions with your QSA.
  • Choose network tokens when you need portability and resilience. Choose gateway tokens when simplicity and cost matter more.

Tokenization handles the security of card credentials. But what happens when things go wrong — when a cardholder disputes a charge, when fraud slips through, or when a merchant needs to fight back against a chargeback? In the next chapter, we'll explore chargebacks, fraud, and disputes — the dispute lifecycle that can reverse any card payment, even months after settlement.

What Comes Next

Tokenization protects the credential — the card number itself. But no amount of tokenization protects a merchant from the transaction being contested. The cardholder can still open their banking app, point at a charge, and say: that wasn't me. Or: that wasn't what I ordered.

In the next chapter, we follow the money backward — through chargebacks, representment, and friendly fraud — and answer the question every merchant eventually asks: who really pays when a transaction goes wrong?

Sources

  • EMVCo Payment Tokenisation Specification — Technical Framework
  • PCI SSC Tokenization Guidelines (2011) and TSP Security Requirements
  • Visa Token Service (VTS) documentation and best practices
  • Mastercard Digital Enablement Service (MDES) documentation
  • Apple Pay Security Overview and Merchant Integration Guide
  • Google Pay device tokenization documentation
  • PCI DSS v4.0.1 — Payment Page Security Requirements
The Money AtlasChapter 12 — Network Tokens, Vaults & Credentials