Network tokenization advantages
Storing raw card numbers across merchant systems creates serious security risks. Network tokenization eliminates this risk at its root. Sensitive card data is never transmitted or stored in the clear at any stage of the payment flow. Instead, the real card number is replaced with a network-issued token, scoped to a specific merchant, token requestor, and the underlying card it was issued for. Each transaction is further secured by a unique, one-time cryptogram, ensuring even a compromised token cannot be replayed or reused outside its intended scope.Better authorization rates
Tokenized transactions include richer data that helps card issuers make smarter approval decisions, resulting in higher acceptance rates than with standard card transactions. For merchants processing large volumes, better authorization rates mean more completed sales and less lost revenue, making tokenization a performance upgrade, not just a security measure.Key benefits
| Benefit | Description |
|---|---|
| Enhanced security | Network tokens and one-time cryptograms protect card data. A stolen token alone cannot be used to complete a transaction. |
| Higher authorization rates | Richer token data improves issuer risk decisions, increasing approvals by 200–500 bps. |
| Reduced PCI scope | Partners do not store or transmit raw card data, significantly simplifying PCI DSS compliance. |
| Processor-agnostic | Route tokenized transactions to any processor — no lock-in to a specific acquirer. |
| Automated lifecycle management | When a card expires, is reissued, or replaced, the associated token is updated automatically. Transactions continue without disruption. |
| Card art display | Display issuer-provided card images in your UI, helping cardholders identify and select the right card — improving conversion and reducing selection errors. |
| Reduced integration complexity | One integration with PayPal covers all supported networks: Visa, Mastercard, American Express, and Discover. |
Network tokenization frameworks
Secure Credential Services supports Ecommerce network tokenization across a range of business structures. Your business model determines how Token Requestor IDs (TRIDs) are scoped and how tokens are shared or isolated across your merchants or users.| Business Model | TRID Model | Token Scope | Token Sharing | Who Controls Processing |
|---|---|---|---|---|
| Enterprise / Individual Merchants | One TRID per merchant | Per merchant | Not shared across merchants | Merchant |
| Digital Wallets | One TRID per wallet | Per wallet | Not shared outside the wallet | Wallet provider |
| PSPs & Gateways | PSP parent + child TRID per merchant | Per merchant TRID | Not shared across merchants | PSP provisions; merchant processes |
| Marketplaces / Commerce Platforms | Single marketplace TRID or seller TRIDs | Per marketplace or per seller | Shared (single) or isolated (seller) | Marketplace (and optionally sellers) |
| Payment Enablers | One TRID per enabler | Per enabler | Not shared outside enabler network | Enabler |
Note Tokens are unique for each combination of TRID + FPAN + User Account ID. Under a PSP or marketplace using per-merchant TRIDs, the same card enrolled with different merchants produces a separate token for each. Under a single shared marketplace TRID, the same card produces one token used across all sellers in that marketplace. If you’re unsure which model fits your business structure, contact your PayPal account representative.
Architecture
PP TSP serves as the single integration point between your platform and the card networks. Rather than building and maintaining separate connections to Visa, Mastercard, Discover, and American Express, you integrate with PP TSP, after which it handles token provisioning, cryptogram generation, and lifecycle management across all networks on your behalf.
How Ecommerce tokenization works end to end
- You register with PP TSP and receive a Token Requestor ID (TRID) for each supported card network. The TRID identifies your platform in all tokenization requests.
- A cardholder stores a card with your platform. You send the card details to PP TSP to initiate enrollment.
- PP TSP forwards the request to the card network and issuer for approval, then returns a TPAN and enrollment metadata.
- You store the TPAN in place of the card number. The original card number (FPAN) is no longer needed for transaction processing.
- At checkout, request a one-time cryptogram from PP TSP. The cryptogram is generated by the card network and scoped to the specific transaction — it cannot be reused. Submit the TPAN and cryptogram to your payment processor, which constructs and routes the authorization request to the card network and issuer. The issuer validates both values and returns an approval or decline.
- PP TSP handles the token lifecycle on your behalf. If the underlying card changes — due to renewal, re-issuance, or an account update — PP TSP updates the token automatically and notifies you using webhooks. No cardholder re-enrollment required.