Network Tokenization: What is it and Why Merchants Should Be Building it into their 2024 Strategy
Sep 19, 2023 12:00 PM - 12:30 PM EST
According to a 2022 Nilson Report, cards-not-presented fraud involving transactions online, over the phone, and by mail order accounted for an estimated $5.72 billion loss in the US alone. How can merchants safeguard consumer data?
Network tokenization is a security measure that protects consumers by replacing sensitive data with unique identifiers or tokens. This makes it more difficult for fraudsters to steal or misuse consumers’ personal information. As fintech entrepreneur John Lunn explains, the service also provides consumers conveniences such as more manageable payments and access to their online accounts. Additionally, it offers users peace of mind, knowing their confidential intelligence is protected. Through network tokenization, merchants experience less fraud and secure consumer data, making it easier to comply with data security regulations. As a result, customers become more trusting and are likely to continue shopping with vendors that utilize tokenization.
In this virtual event with Aaron Conant, John Lunn, CEO of Gr4vy, discusses network tokenization. John explains network tokenization, how it benefits consumers and merchants, and merchant concerns when deploying network tokenization and selecting a provider.
Gr4vy is a powerful payments orchestration platform that allows you to deploy and optimize all your payments through one simple integration.
Connect with Gr4vySenior Digital Strategist at BWG Connect
Tiffany Serbus-Gustaveson is a Digital Strategist at BWG Connect, a network and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. With over 13 years of experience in the digital space, she has built a strong reputation for driving growth, innovation, and customer engagement across a variety of online platforms. She is passionate about keeping up with the latest industry trends and emerging technologies by speaking with hundreds of brands a year thru the BWG Network.
CEO and Founder at Gr4vy
John Lunn is the Founder and CEO of the cloud payment orchestration platform Gr4vy. He’s a technology and fintech entrepreneur with 21 years of experience working and investing in financial services, commerce enablement, e-payments, data, security, and infrastructure. John worked as the Director of Technology for six years at CyberSource, the world’s finest payment service provider, which was sold to Visa for $2 billion in 2010. He then helped found Passmark Security, which was sold to RSA Security in 2006.
In 2006, John joined PayPal as the fourth employee in the UK — now employing over 2000 — where he built and grew PayPal’s first Developer Relations team as the Global Director of Developer and Startup Relations. He was instrumental in the 2015 purchase of Braintree by PayPal and joined the team as a Senior Director. In 2016, John helped to launch PayPal Ventures, the company’s venture capital arm, a $350 million fund with the board’s backing. He was a Board Observer for multiple companies, including Dosh, Arkose, Raise, Acorn, and Toss.
Senior Digital Strategist at BWG Connect
Tiffany Serbus-Gustaveson is a Digital Strategist at BWG Connect, a network and knowledge sharing group of thousands of brands who collectively grow their digital knowledge base and collaborate on partner selection. With over 13 years of experience in the digital space, she has built a strong reputation for driving growth, innovation, and customer engagement across a variety of online platforms. She is passionate about keeping up with the latest industry trends and emerging technologies by speaking with hundreds of brands a year thru the BWG Network.
CEO and Founder at Gr4vy
John Lunn is the Founder and CEO of the cloud payment orchestration platform Gr4vy. He’s a technology and fintech entrepreneur with 21 years of experience working and investing in financial services, commerce enablement, e-payments, data, security, and infrastructure. John worked as the Director of Technology for six years at CyberSource, the world’s finest payment service provider, which was sold to Visa for $2 billion in 2010. He then helped found Passmark Security, which was sold to RSA Security in 2006.
In 2006, John joined PayPal as the fourth employee in the UK — now employing over 2000 — where he built and grew PayPal’s first Developer Relations team as the Global Director of Developer and Startup Relations. He was instrumental in the 2015 purchase of Braintree by PayPal and joined the team as a Senior Director. In 2016, John helped to launch PayPal Ventures, the company’s venture capital arm, a $350 million fund with the board’s backing. He was a Board Observer for multiple companies, including Dosh, Arkose, Raise, Acorn, and Toss.
Senior Digital Strategist at BWG Connect
BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.
Senior Digital Strategist Tiffany Serbus-Gustaveson runs the group & connects with dozens of brand executives every week, always for free.
Aaron Conant 0:00
Happy Tuesday, everybody. My name is Aaron Conant, I'm the Co-founder and Managing Director here at BWG Connect. We're a giant networking and knowledge-sharing group with 1000s of brands. We do exactly that. We network and share knowledge together to stay on top of the newest trends, strategies, pain points, and everything that shaping digital as a whole. And when the same topics or new topics come up over and over again, we host an event like this. And so a couple of housekeeping items, as we get started, we're starting a few minutes after the hour, just so everybody knows, we're gonna try to wrap up one to two minutes early as well give you all plenty of time to get out into the next beam without being late. We want this to be as educational and informational as possible. So at any point in time, if you have any questions, drop them into the chat, drop them into the Q&A. And we will make sure that we get those answered as real-time as we possibly can. And I think that's about it; I spend a lot of my time just talking to brands try to make it 20 to 30 a week, helping them out with digital strategy as a whole. And, you know, some interesting things have popped up lately. One of them is around network tokenization. And so, John, I'm gonna kick it over to you. If you want to do a brief intro on yourself and the organization, that'd be fantastic. And then we can kind of get into the topic for today, I'm sure we're gonna have a ton of questions on it. Or the obviously repealer is going be sit back and really, really learning. And then the next one of these we do, there's gonna be 150 questions that pour out, but I'll kick it over to you, John, if you want to jump in.
John Lunn 1:44
That's great. Thank you, Aaron. So, I'm John Lunn, the CEO and one of the founders of Gr4y. Gr4vy is a payment orchestration platform, which means we're a technology layer that sits between retailers or merchants out there and pretty much every payment option in the world. So why network tokenization? Why are we talking about that is because we support network tokenization across the 120-odd payment companies that were connected to that should make things a little bit easier. And we've been in the deep end of this as we've integrated network tokens across our merchant base.
Aaron Conant 2:21
Yeah. Awesome. So again, a reminder, I'm going to turn on the chat here, so everybody can interact. But also, if you have any questions along the way, don't hesitate to drop them there or feel free to drop them into the into the Q&A as well. But I mean, do you want to just start us off around what network tokenization is as a whole? I think as we get deeper and deeper into the digital side of commerce as a whole, more and more questions pop up, and people start peeling back the layers of the onion and realize, wait a minute, there's 150 things I never thought of. And this is probably one of those things for sure.
John Lunn 2:57
Exactly. So probably useful if we go back in history a little bit. So in the, in the good old pioneering days of eCommerce, merchants used to store all credit card numbers all over the place, right, and how many you had people's credit card numbers in Excel spreadsheets, sticky notes, etc. And obviously, that caused a few problems with cards being leaked, and hacks, and everything else that came with that. So what happened is, the industry introduced a PCI standard, and the PCI standard was like a standard you had to meet, in order to be able to store rural credit cards and not get fined if something went wrong. So you would have to go hrough an audit, etc, etc. A lot of merchants didn't want the complexity of that, because it is a lot of work. And it's an expensive audit, and you have to do it every year. So what they decided to do is basically use a technology called tokenization. So he worked with a third party. And it really is just like the tokens you get if you went to a casino in Vegas, right, they don't give you cash, they give you a token to replace it. Same concept here, you send a card through to payments service provider, they return a unique value to you, which is a token. And if you want to build that customer going forward, instead of having to store the card number, you just say Bill, token 1234 for $50. And that route made the PCI burden that you have a lot lighter, and made things a lot more efficiency efficient with a lot less hacks. The next sort of iteration of that is network tokens. And really, this is a problem we probably all experienced here. So you've got your credit card, probably stored on a variety of different subscription merchants at the moment. So things that you've signed up to, they've got your card on file, etc. And probably some stage in the last three years. You've got a call from your card company saying oh, sorry. We've identified a transaction or someone buying a laptop and Amazon, whatever. And so we've canceled your card and we're sending a new one. And you then spend the next month and a half trying to remember where the hell you subscribe to as your, you know, your dog food doesn't arrive because they've dropped the old guard, etc, etc. So for a consumer perspective, it's very, very inefficient having one card number one piece of plastic being stored across the internet by whatever retailer you decide to sign up with. And so and then for the card associations, or the issuing banks is also very inconvenient, because every time they have to do this, they have to generate a new piece of plastic to send you, lots of transactions fail, lots of merchants have problems, etc, etc. And so the idea here is, instead of merchants having to store a credit card number for you for a transaction, you make a call to one of the card associations through a company like Gr4vy, and what they return is a unique token that is generated by Visa, MasterCard, Amex, etc, You store that token, and that token is for that card user for that card number for that merchant only. So it need all those things need to combine. And that means if someone else has a different network token for the same card and they get hacked, or lose it, lose it, all the card associations have to do is switch off that token, it means the same token that other tokens that all the other retailers hold will continue working, the consumer won't be impacted. And hopefully they won't have to issue a new plastic card. So overall, it's very sensible, it allows a lot less waste in the system, it also means you're more likely to keep on you know, preserving that customer who doesn't cancel the subscription, because they forgot about it, etc. And it makes a better system. However, on the other side, it is a little complicated to manage, right, as a merchant is a brand new thing you have to do pre-transaction in order to take advantage of this. So it's added a bit of integration burden to merchants. But overall, it is a sensible thing to be doing.
Aaron Conant 7:03
How prevalent is this today? And then where is it going to because I know that's where a lot of people are concerned, right, and then how big of a lift and everything else because we're all inundated with so many different things. Right now on our plate.
John Lunn 7:18
If you talk to the card association, they will expect 100% of transactions be running throw through this at some stage, especially e-comm. Networked organizations, they believe this is the future. This is where it should go. I don't disagree, I think this actually is better for the ecosystem. So I mean, you should plan around this being the standard way of view processing transactions online in the next two to three years. It spreads building momentum is building fast, there's new things being rolled out by Visa, MasterCard, like click to pay, which is a big deal. And that users NetWare tokenization. So it will become very, very common very quickly. I think the other side of this is if you haven't already, if you're not using it, then the banks in some countries are going to start putting your interchange up. And that's already starting to hit some US merchants. You'll be paying more if you're not using a network token. And then some other countries, they're actually discounting if you do use the network token. So depending on your acquirer and region you're in, there is definitely financial incentives to use this.
Aaron Conant 8:24
So a quick question comes in: can you describe the fee structure because someone pays for the network tokenization? Correct?Customers already pay for bank fees, merchant fees, transaction fees, etc, etc.
John Lunn 8:34
Yeah, so there is a fee to generate an API token. And that fee is generally going to whoever's connected to Visa or MasterCard and generated and they're paying a small fee to Visa but then you're also paying for the use of that technology. So it's going to be going through a third-party provider, whether it's Gr4vy or anyone else, then that third-party provider will be charging you to use that service. The alternative is, if you billed directly to Visa or MasterCard, but that is incredibly difficult to do and I wouldn't suggest it is there.
Aaron Conant 9:05
Is there like a test and learn then like I think the big question that people have all the time is, is this is something new? It does make sense. I think from a personal consumer standpoint, it makes complete sense, but from a business bearing the cost. And then I guess in the end, passing the cost on to an end consumer. Like, is there? Like the benefits? I guess, is there a way to test it out? Like
John Lunn 9:26
I mean, absolutely. I mean, you can switch it on. So something like with with us at Gr4vy, something you can do is you can vote for some transactions through using that word tokenization and others not. So do basically an AB test. But you can also try a network token and if it fails, you can fall back on a direct pan. So we've built in a whole variety of different rules that you can use in order to test this or this process without using losing that customer and that's really the big thing. The big advantage for a merchant is every time someone has their cards stolen or expires or whatever, there is a very high chance that they won't go back and re-subscribe to your service. It gives them a that minute to think of really, really do I need this product, because you are forced to go back into it and rethink your strategy there. So I think it is definitely beneficial for a merchant, if consumers aren't constantly being asked to go back and add a new credit card number and all the rest of it. And there's a potential, you'll lose months of revenue, while the consumer doesn't realize they haven't renewed their, or they haven't updated their card on your on your platform. So you know, with me recently added exactly this situation, I have something that's delivered every three months. And I got an email a month later saying, oh, sorry, we've canceled your subscription because your card expired. And I'm like, Well, why didn't you ping me. Why didn't you ask me? So they've lost a customer? And I think that happens more often than not.
Aaron Conant 10:53
It's there. Like, how fast is this going to be changing? Is there a point in time where this is pretty much required? Yeah. And then, you know, what's the drawback? If people say, hey, I want to punt for a year, I guess it's kind of what I'm doing, trying to come up with the questions. And again, yeah, TJ, thanks for dropping the question in there. If others if you have questions around this, drop into the chat or the Q&A, and we'll get them answered. But those are the ones that are popping up through through my head.
John Lunn 11:18
Yeah, no. So, this has been ongoing for a few years now. I think this is the year where it's going to become the main way to make payments. So over the last few years, there's been experiments, but some early, early movers in this space. But now that you know, the financial incentives have been put in place, then I think it's time right now to take advantage of this because I think you're you're not you're going to be paying more to car and you shouldn't need to do that. And he wants to pay more in this climate, right?
Aaron Conant 11:50
The if we talk a little bit about, like implementation, implementation costs, timeframe, all of these things issuer support. I mean, these are other things that pop up all the time, we've already got 150 things running on the back end that we have to attend to. We'd love to hear what the I guess what the lift is, as a whole. And also the monetary side, right? And so there's a temporary, I'm not going to be paying more, but I probably will. So in the meantime, I'm trying to figure this whole thing out what is what does that all look like? What does it add to my team?
John Lunn 12:23
Yeah, I mean, they look, there's a number of different ways to do this. If you work with one PSP, and then you're happy to work with one PSP going forward, there is a good chance that already using network tokenization in the back end, and swapping that out with it with their own token, which is what they're getting for you because that makes, unfortunately makes it very stuck with that PSP. I think if you're thinking about it now, do consider an orchestration platform, because the token you'll get back for an orchestration platform is more portable, so it doesn't lock you into a particular PSP. So there's a lot I mean, there's a huge amount of transactions already running through network tokenization probably have you using one PSP is a good chance that they're using a network token in the back end. But having the advantage yourself to be able to control that, being able to have a network token that allows you to to span across different PSPs have backups, retries, etc. At that stage, you need to build it yourself, or what I'd strongly suggest is pick a payment orchestration platform, we can help you with that.
Aaron Conant 13:22
Yeah, awesome. Do you see this being an opt-in for now, and then soon, you know, mandatory moving forward in the future?
John Lunn 13:31
I mean, generally, there's different ways this is these types of things are implemented, it's like, carrot or stick race claim. So they mean to start with and in some countries is carrot, right? So they're offering you a discount on your interchange up to use it and other markets, like the US there seems to be they're going stick so you don't use it, we're putting up your rate. So I mean, look how much your option here really is, if you don't use it, you're going to be paying more money. And I do strongly believe we're already paying enough money to use credit cards online. So anything that reduces that or keeps it low is definitely beneficial. Yeah, they're like,
Aaron Conant 14:08
I just see it from the, you know, a specific example side, that's what people you know, always want to see. So if you're switching to, to, you know, network tokenization. Other specific examples that are out there. And then another question just comes in around how do you know if it's right for me because you'd mentioned subscription base, which completely makes sense in other scenarios as well. So let's tackle kind of both of those. And we can break them apart for sure.
John Lunn 14:38
Let's start with the last one. So if you're only doing one-time transactions, there is not a huge amount of benefit for you. So if you're only doing a transaction that you take the money off that consumer once you're never going to store that consumers details so you don't want an easy quick checkout, then there's not a huge benefit for you as a merchant. But if you're doing anything that allows you to store that customer's details you want them to have one click Checkout, click to pay any of that stuff, then you really do need to be doing this. Because it's just, it's more efficient. And as you said, it's going to save on cost examples. There's some very big companies out there already using that word token and tokens. And if you go on to the Visa, or MasterCard websites, you can see that sort of role models, and they are the world's largest retailers already doing this.
Aaron Conant 15:22
So then from a size standpoint, it doesn't necessarily matter, per se, it's just kind of more on, you know, what type of product you're selling, and the number of transactions.
John Lunn 15:34
Yeah, I mean, look it again, it's a cost thing. It's not really a size of company, it's not a, you know, if you're a small company, and you don't have the resource to do this, maybe it's, you know, you'll find paying more fees, right. But if you're a big company, then every penny counts. So you're trying to save costs constantly. Maybe there's more urgency at that point. But really, this is like, do you want to spend more or less money on this to make a better consumer experience?
Aaron Conant 16:00
Yeah, awesome. Are they're already into just like best best practices a little bit. This is something that's new, is just started coming up with brands as a whole. And it doesn't make sense. But I'd love to jump if you have any, like best practices, people should think about consider things to consider when you're selecting, you know, a partner in this space would be great as well.
John Lunn 16:22
So I think the first thing is, don't go all in, right. So don't go all in to start with. So there's definitely some issuers, some countries that are behind the game here. So whatever you do, you need the sort of dual solution. So the ability to use a network token. And if that doesn't work, the ability to use a PSP token, roll pan or something like that, because in some cases in that, where token will fail, and then you'll need to fall back on a pan. And then weirdly, in some cases, a pan might fail. And if you try network token that might work. So you basically need both. So the best practice I would say is don't go all in, don't say I just want to do I'm going to do everything on network tokens from day one. Because you potentially could have some problems going forward. I think there is a few other, you know, best practices here. If you're accepting debit cards, and you want to process debit cards through a debit card processor, then directly, then you need to have the dual solution as well, because the debit cards aren't supported by the network. tokenization standard.
Aaron Conant 17:29
Awesome. Are there like common questions that that get fielded your way? In this space? I mean, there's got to be a million, right. Yeah.
John Lunn 17:37
I mean, we often get asked, well, where should I use it? Where should I not use it? How when should I use it? And really, look, that's a big ass manual, that's very any changes almost every day, as issuers catch up, as certain banks come online, start doing better. And you need a flexible system. And that's what I keep on saying to people don't build an inflexible solution, you need something that's going to allow you to fall back and move around as this evolves. And as they roll it out in different countries, you need the ability, say, Should I use a network token in this country? Should I not? Should I use something else? So you need a very, very flexible solution? I think, in my view, and I'm very, very biased, and payment orchestration platform is the best way to do that. Is there?
Aaron Conant 18:21
Like, are you walking people through that? Because I think that's got to be a big part of it on a on a daily basis right now, because I think people get it, I think they understand it. But that's different than knowing the complexities of rolling it out and the timeframe. And we're like you're saying where to use it? Where not to use it? Is that like, is that an audit? That's done? Is it? You know, even when you get up and running? Is it a? Is it a weekly meeting? Is it a bi-monthly audit to see what the changes need to be? We'd love to hear something about that as well.
John Lunn 18:54
Yeah, look, I mean, I think the advantage of using an orchestration platform to do this is those changes don't need to be engineering changes. If you build this yourself, you might need to be writing engineering changes and say, Look, for this market now do start using network tokens for this particular issue. Start doing that. That means you need to be updating Ben tables, like which cards are good, which are not, that's a lot of work. So I think you know, the volunteering orchestration platform is that done for you? That there are reports around that will tell you where tokens have failed and pans have succeeded or where Panzer succeeded or failed and tokens have succeeded. So you'll get the updated data of what's working and making a change should just literally be, you know, changing to a configuration and a rule. And moving it to that model to give you the flexibility to move fast is far more important than than pretty much anything else because it is new, it is growing. But you do need flexibility because if you build this statically you're going to end up with some nasty surprises.
Aaron Conant 19:56
Yeah, and you're it's just interesting that this was In probably next year to 18 months, you're saying it's going to be predominantly taking over. So yeah, that number of people are just going to be left behind, like, paying them more or paying more. Right. But I don't think that people can I mean, as part of this as a whole is right is the number one thing I get from brands is overall profitability. Right? Ecommerce, direct consumer website, profitability is top of everybody's mind. And it's just, it's crazy. This is another spot where you're going to be paying more if you don't figure this out over the next year.
John Lunn 20:33
Yeah, I look. And it's always been the case of rolling out these new schemes you had like Chip and PIN in Europe, people resisted for years, and then they realized liability shift made a big difference. So they had to move. And I think that generally, people don't like things forced on them. But if there's a financial incentive, it helps.
Aaron Conant 20:53
Right? I mean, well, that's a big part of it, too, is it's, it's actually great for the consumer at the end of the day, right, and it's a push in the right direction. And I think the best thing, so the ones we can relate as not only the business side, but on the consumer side. And why there's going to be a gigantic push in this space, and you're going to figure it out. And if you're not going to figure it out, then you're going to pay. Yeah, and it does make sense because it's a huge inconvenience. I think everybody on the call has probably had that exact year's situation happen with some kind of product. And yes, you spend so much the most valuable thing that we have, which is our time trying to go around and fix things. What's like, the coolest stuff for you that's coming around the corner? In regards to this space as a whole. Right? Yeah, love to hear that.
John Lunn 21:43
I think I like the idea. I like what's going on with click-to-pay. So you know, if you don't know what click to pay is it this is a new technology that the car companies are rolling out directly. Whereas if you go to a website and you start typing your credit card number, or you've been to that website before, instead of having to type any of this stuff in, what will pop up on the screen is do you want to use this card, because that's stored. And then you'll just like the experience you'd have with one of the wallets, you'll be able to go click done behind the scenes that is using network tokenization. But it doesn't mean that that's going to become a very easy consumer experience. Like I see a world where hardly anyone ever types a credit card number, and again, and when you go and get your new card from your bank, they'll automatically register you into this process. So ultimately, that you know, no one likes paying for stuff. It's the worst print and the shopping experience, right? So make that as invisible as seamless as possible. Great. And then whether you know, we've got it today with maybe Google Pay or Apple Pay, or maybe you don't like those products. But this will basically turn to a process where making a payment should be super simple and super easy.
Aaron Conant 22:53
I mean, at the end that makes me happy makes customer happy. It's one of those interesting products where I don't think a lot of people understand the importance of it and where it's going. They don't understand the fact that it's going to be here no matter what. And so you need to figure it out. But that it makes everybody's life easier at the end of the day.
John Lunn 23:14
And yeah, so the little bit of left, but it's definitely the right thing to do.
Aaron Conant 23:18
Oh, it's a great spot to be in. Right. That's if you're helping the end consumer as a whole. Any things so we get the last couple minutes here. Anything we didn't cover today that you thought would come up either question-wise, or for the mouth audience or anything like that that normally comes up but didn't come up today? Yeah.
John Lunn 23:36
Yeah, I think the account updater is one of them so often that one of the questions we get from merchants is what account updater I already use account updater Why do I need network tokenization? Account updater is a technology that's been around for a little bit. And that's where you're basically any store card you have, you're able to get that card number updated. If anything goes wrong with it, it solves a little bit of a problem, it basically solves the problem. If the card gets canceled, it gets updated in the system, it is notoriously been a little bit difficult to work with it runs slightly delayed. But it doesn't really solve the core problem and there's one number out there that everybody has got stored that is actually very valuable to a consumer so it doesn't solve that part of the problem. But I think to start with you need to really be using account updater and network tokens as as this you know, there were tokens take over 100%.
Aaron Conant 24:32
This has been a fantastic conversation. Thanks people for sending in the questions as a whole. You know, as we're, as we kind of wrap up here, I just want to remind everybody, that if you have any follow-up questions more than happy to connect you with John and the team over Gr4vy. They're fantastic people great friends, partners, supporters, the network as a whole. You know, I'd love to have a follow-up conversation with you as well see other pain points that are happening and you know, with that if there's nothing more If anybody has any last questions, last-minute questions, you can drop them in the chat or the Q&A. But other than that, this it's amazing how fast you know. 25, 26 minutes goes by. You know, a quick thank you, John, for your time today. Thanks for the great conversation and all you guys are doing to help the brands that work out. With that. We're going to wrap up this sort of webinar here, everybody, take care, stay safe and look forward to having you at a future event. Awesome. Thanks again, John.