All Blogs
Jan 14th, 2026

Demystifying "Tokenization” in Payments: Vaults, COF, and the Real Network Tokens

If we had a dollar for every time someone misused "tokenization" in a payments meeting, we could probably fund our own network token vault.

It's one of the most overused - and misunderstood - buzzwords in the industry. And the stakes for getting it wrong aren't just semantic. They're operational, financial, and long-term strategic. Especially when you're in the world of recurring billing, subscriptions, or installment plans.

So let's break it down, once and for all. No fluff. No buzzwords. Just the truth about tokenization and what each version really means - and why that matters when your business relies on charging customers every month (or more).

The Legacy Vault (a.k.a. "Encryption with Extra Steps”)

What it is: Your gateway or acquirer encrypts and stores the raw card data (PAN + expiry), often in a PCI-compliant vault. When it's time to run a refund or a subsequent transaction, they decrypt it behind the scenes and process the charge.

What it's not: Tokenization. There's no brand registration, no dynamic data, no update mechanisms.

Impact:

  • No interchange reduction: You're paying standard card-not-present rates, with no discounts or incentives from the networks.
  • No lifecycle management: If a card is reissued or expires, your vault won't know - meaning your next transaction fails.
  • No issuer-side data to support auth decisioning: Issuers can't distinguish between a recurring charge and a potential fraud attempt.
  • No migration flexibility: You're locked into your current vault provider unless you want to re-collect cards.
  • PCI scope remains on you: You're responsible for keeping raw PAN secure and in compliance with PCI DSS.

Recurring Risk: If you're using legacy vaulting and processing monthly transactions, you're not giving issuers any heads up about what's happening. That means recurring charges at 2:00am look just like potential fraud.

Credential-on-File (COF) Framework

What it is: This is where things start to get real. COF is a formalized framework where you tell Visa and Mastercard that you're storing card credentials (still encrypted PAN), and they issue a Transaction Identifier (TID). You're then expected to label subsequent transactions as:

  • Customer-Initiated Transaction (CIT): The cardholder is actively present - typically entering credentials at the point of sale. Issuers treat these as standard online purchases.
  • Merchant-Initiated Transaction (MIT): The merchant initiates the charge on behalf of the cardholder, based on prior consent. This includes recurring subscriptions, usage-based billing, and installment plans.

Why this matters:

Flagging these transactions correctly helps issuers understand what's happening. If your system is running a batch of subscription renewals at 2:00am, MIT tells the issuer: "Hey, this is normal behavior. The cardholder isn't up shopping - we are executing a pre-agreed transaction."

When transactions like this are not flagged as MIT, they can raise red flags. Issuers see an unexpected, card-not-present transaction in the middle of the night, and think fraud. The result? Declines.

Impact:

  • Improves authorization rates: Issuers use MIT/CIT indicators to model cardholder behavior and reduce false declines.
  • Required for recurring, installment, and usage-based billing: These models are no longer optional - they're enforced by networks.
  • Doesn't reduce interchange directly: But properly labeled transactions are more trustworthy, which can improve downstream processing economics.
  • Still requires PAN storage: PCI DSS compliance is still on the merchant unless other tokenization layers are added.

Bonus: Most acquirers and gateways now expect merchants to use COF frameworks if they're doing anything subscription-based. If you're not, you're out of compliance and out of alignment with issuer models.

Network Tokenization (a.k.a. "The Real Deal")

What it is: Visa and Mastercard replace the real card number (PAN) with a dynamic, lifecycle-managed token. This token is:

  • Specific to the merchant or provider
  • Managed by the card network, not just encrypted
  • Automatically updated when the underlying card changes

There are two distinct models:

1. Merchant/Brand as Token Requestor

  • Control and portability: The merchant is registered with the networks and requests/owns the token. This allows movement between providers while keeping the token estate intact.
  • Best for enterprises: Ideal for marketplaces, large retailers, and digital wallets who want to centralize payments across multiple providers or geographies.

2. Provider-Scoped Tokenization

  • Limited portability: Your PSP, acquirer, or gateway owns the token relationship. You benefit from tokenization features - but only within their ecosystem.
  • Vendor lock-in risk: If you change providers, you likely lose access to those tokens and must re-collect credentials.

Impact:

  • Higher authorization rates: Issuers often prefer tokens to raw PAN, especially when they are dynamic and issuer-linked.
  • Reduced fraud: Tokens are only valid in the scope where they were issued, making them harder to misuse.
  • Automatic updates: When a card is reissued, the network updates the token - reducing failed payments.
  • Lower PCI risk: No PAN means dramatically reduced compliance exposure.
  • Potential interchange benefits: Depending on your merchant category code (MCC), use case, and volume, some networks offer interchange incentives for tokenized transactions.

Recurring Bonus: Network tokens thrive in subscription environments. They maintain continuity, even when the underlying card is reissued or updated. That means fewer declines, less customer churn, and a better bottom line.

TL;DR: Get the Terms Right, Then Get the Architecture Right

If you're doing recurring billing, installment payments, or anything that involves storing card data:

  • Vaulting is better than nothing, but it's not enough: You're flying blind from a compliance and issuer-trust standpoint.
  • COF is mandatory for proper auth signaling and compliance: Without it, your transactions look riskier than they are.
  • Network tokenization is the strategic play for auth rates, fraud reduction, and long-term control: Especially if you're scaling, or thinking about portability.

Pro Tip: Stop calling your PAN vault a token vault. If you're storing raw card data without issuer visibility or lifecycle management, you're not tokenizing - you're just encrypting.

Need help auditing your setup or planning a migration? We do this in our sleep (often around 2:00am - flagged as MIT, of course).


Tags:

Get Our Newsletter

Latest Blog Entries

© 2026 Payment Therapist. All rights reserved.