Overview of Network Tokenization for REST 2.0
Network tokenization replaces static Primary Account Numbers (PANs) with dynamic, merchant-specific tokens issued by schemes such as Visa and Mastercard. Each token is tied to a specific merchant and often contextually bound via network metadata, ensuring the token only works within the intended context. As a result, even if a card expires, is replaced, or reissued, the token remains valid and ensures uninterrupted recurring payments for stored-card transactions.
Many tokenized transactions, especially those initiated by cardholders, are secured with a cryptogram – a one-time, scheme-generated encrypted value. The cryptogram includes data such as the token, merchant ID, transaction details, and other contextual information. It is validated by the card issuer during authorization. Without a valid cryptogram, the transaction is declined, even if the token itself is valid. This mechanism helps prevent misuse, replay fraud, and unauthorized transactions.
Together, tokens and cryptograms provide business benefits:
- Improved approval rates – Dynamic, scheme-issued tokens maintain issuer trust, reduce declines, and boost payment success.
- Enhanced security – Tokens replace sensitive PANs. One-time cryptograms guard against replay fraud, leading to fewer fraud incidents and chargebacks.
- Reduced processing costs – Tokenized transactions may have lower interchange fees in certain regions, thus reducing the expense of false declines and fraud mitigation.
- Improved cash flow stability – Fewer disputes mean more predictable revenue and increased confidence for both merchants and cardholders.
- Streamlined compliance – Network tokens eliminate the need to store PANs, reducing PCI DSS audit scope and easing compliance efforts.
Major card networks are transitioning to universal tokenization making token use the expected global standard. Nuvei supports the shift both as a direct acquirer (Visa/Visa Token Service [VTS]), Mastercard/Mastercard Digital Enablement Service [MDES]) and as a Payment Service Provider (PSP) through regional acquirers such as Barclays, WorldPay, and AIB. Whether Nuvei’s direct channels or PSP partners are used, tokenized payments are fully supported and processed within Nuvei’s secure infrastructure.
Internal Network Token
Nuvei’s Internal Network Token solution streamlines card-based transactions by handling the entire token lifecycle while allowing merchants to continue using standard PANs. When a transaction is initiated and no token exists in Nuvei’s database, the transaction proceeds using the PAN. Nuvei then conducts an initial fraud check and only if the transaction is assessed as low risk does Nuvei request and store a network token from the card scheme. The flow ensures that tokens are issued solely in secure, compliant scenarios.
Once a token exists, all future payments are routed using the network token and the token’s one-time, scheme-generated cryptogram. Tokens are automatically updated if a card is reissued or expires, maintaining payment continuity for subscriptions and stored card use without disruption to the merchant or customer. As a direct acquirer for Visa and Mastercard, and with a Payment Service Provider (PSP) through providers such as Barclays, WorldPay, and AIB, Nuvei processes network token transactions through its global and partnered acquiring infrastructure.
External Network Token
The External Network Token model empowers merchants to provision and manage tokens using services such as VTS, MDES, or third-party providers. Tokens and one-time cryptograms are sent to Nuvei via REST API v1.0. Nuvei, acting as the processor and optionally as the acquirer (Visa/Mastercard) or through PSPs (Barclays, WorldPay, AIB), validates and processes token-based transactions while the merchant retains control over token lifecycle events.
Cryptogram Requirements
Each cryptogram is unique to a single payment transaction and cannot be reused, regardless of whether the transaction is approved or declined. This one-time-use cryptogram is generated to verify and secure that specific transaction alone. Even if the network token itself remains the same, a new cryptogram must be provided by the merchant for every subsequent transaction attempt. This process protects against unauthorized reuse, reinforcing the security and integrity of tokenized payments.
For a customer-initiated transaction (CIT), cryptograms are mandatory for Sale and Auth. For a merchant-initiated transaction (MIT), cryptograms are needed on the first authorization or if the merchant is enrolled in an Account Funding Transaction (AFT) program.
External Network Token to PAN Cascading
To maximize authorization success, Nuvei supports External-Network-Token-to-PAN cascading. If a merchant submits both network token details and a PAN in the same request, Nuvei first attempts the token transaction. If the scheme or issuer declines the attempt and cascading conditions are met, Nuvei automatically retries the authorization using the PAN. This dual approach not only strengthens fraud protection through network-issued tokens and cryptograms, but also minimizes failed transactions via fallback.
Network Tokenization Comparison
| Feature | Internal Network Token | External Network Token | Network Token as a Service | ||||
|---|---|---|---|---|---|---|---|
| Token Requestor | Nuvei (via VTS/MDES*) | Merchant or third-party | Nuvei (via VTS/MDES*) | ||||
| Lifecycle management | Fully managed by Nuvei | Done externally | Fully managed by Nuvei | ||||
| Endpoint integration | Cashier / REST API 2.0 | REST API 2.0 | REST API 2.0 | ||||
| Token to PAN cascading | Yes | Yes | Not relevant | ||||
| PCI data scope | Low | Medium | Low with on-demand option High with Merchant-Managed option |
||||
| Acquirer support | Nuvei direct acquiring, AIB, WorldPay, Barclays | Nuvei direct acquiring, AIB, WorldPay, Barclays | Not relevant | ||||
| Target merchant | Full-service merchant | Advanced merchant | Advanced merchant | ||||
| *Visa Token Service (VTS); Mastercard Digital Enablement Service (MDES) | |||||||
Examples
Payment (Deposit)
When the merchant provides the network (card scheme) token and the cryptogram, include the following in the /payments request:
- networkToken class containing:
expirationMonth– The network token’s expiration month.expirationYear– The network token’s expiration year.- tokenNumber – Alternative to the Primary Account Number (PAN) and unique to each shopper-merchant pairing.
cryptogram– (optional)tokenAssuranceLevel– (optional) Value indicating the confidence level of the token-to-Account-PAN binding.tokenRequestorId– (optional) Identifies the token requestor.
Example Non-3DS /payments Request
{
"processingEntityId": "<<your processing entity id>>",
"amount": 10.5,
"currency": "USD",
"transactionType": "Sale",
"paymentOption": {
"store": "buyerToken",
"networkTokens": {
"tokenNumber": "4000020951595032",
"expirationMonth": "12",
"expirationYear": "28",
"cryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU",
"tokenAssuranceLevel": "3",
"tokenRequestorId": "2"
}
},
"custom": {
"description": "Some description"
},
"deviceDetails": {
"ipAddress": "<customer's IP address>",
"browser": {
"acceptHeader": "Y",
"userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36",
"javaEnabled": "true",
"language": "en-US",
"colorDepth": "24",
"screenHeight": "1080",
"screenWidth": "1920",
"timeZone": "0",
"javaScriptEnabled": "true"
}
},
"buyerDetails": {
"buyerId": "",
"firstName": "John",
"lastName": "Smith",
"companyName": "Nuvei Corp",
"dateOfBirth": "1978-06-27",
"email": "[email protected]",
"phone": "6175551414",
"billingAddress": {
"address": "22 Main Street",
"zip": "02460",
"city": "Boston",
"countryCode": "US",
"phone": "6175551414",
"addressMatch": "true"
},
"shippingAddress": {
"sameAsBilling": "true",
"address": "22 Main Street",
"zip": "02460",
"city": "Boston",
"countryCode": "US",
"phone": "6175551414"
}
}
}
Payout (Withdrawal)
When the merchant provides the network (card scheme) token and the cryptogram, include the following in the /payouts request:
networkTokenclass containing:expirationMonth– The network token’s expiration month.expirationYear– The network token’s expiration year.
tokenNumbertokenAssuranceLevel(optional)tokenRequestorId(optional)
Example /payouts Request
{
"processingEntityId": "123e4567-e89b-12d3-a456-426614174000",
"amount": 60,
"currency": "EUR",
"paymentOption": {
"networkTokens": {
"tokenNumber": "4000020951595032",
"expirationMonth": "12",
"expirationYear": "28",
"tokenAssuranceLevel": "3",
"tokenRequestorId": "2"
}
},
"buyerDetails": {
"buyerId": "buyerId123",
"firstName": "John",
"lastName": "JSmith",
"companyName": "Nuvei Corp",
"locale": "bg-BG",
"dateOfBirth": "1978-01-01",
"email": "[email protected]",
"phone": "+1234567889",
"billingAddress": {
"state": "TX",
"city": "Austin",
"zip": "78652",
"countryCode": "US"
},
"shippingAddress": {
"sameAsBilling": true
}
}
}
Last modified October 2025