Try to pull your stored card data out of a payment processor's vault and you'll find out fast it was never really yours. Maybe that means a migration project. Maybe it's a data handover fee, or a month spent negotiating with your account rep for access to credentials your own customers handed over in the first place.Â
If you run a subscription business or a marketplace, it shapes how fast you can switch processors and whether expanding into a new market takes a quarter or a year, the same friction that makes tokenization for e-commerce worth getting right from day one.
Owning your tokens changes the math, and most payments teams have never priced it out completely. The authorization lift from network tokenization gets most of the attention, and it deserves it. What gets missed is everything underneath: lower retry costs, an interchange discount, a smaller PCI footprint, and the leverage that comes from walking into a contract renewal without your data held hostage.Â
This post breaks down where that value actually comes from and what it adds up to in dollars.
Gateway tokens, vault tokens, and network tokens aren't the same thing
Gateway tokens, vault tokens, and network tokens are different pieces of token technology, and which one you use decides how much of the value below you actually capture.
A gateway token comes from your payment processor. It swaps out the card number for a reference that only means something inside that processor's system. Your PCI scope shrinks, which is nice, until you try to switch processors and realize the token doesn't travel with you. It stays where it was born.
A vault token comes from an independent vault provider instead. It also replaces the card number, but because it lives outside any single processor's infrastructure, the token travels with you across gateways. Route a transaction to a different connected processor and you don't need to re-tokenize anything. That's what gives you room to add or switch processors without disrupting the payment methods you already have on file.
A network token comes from the card networks themselves: Visa, Mastercard, Amex. The card networks issue it against the underlying account. Reissue the card and the token keeps working, because it was never tied to that specific card number to begin with. It also carries a cryptogram generated at the moment of the transaction, which gives the issuer a stronger signal that the charge is legitimate. That cryptogram is what drives the authorization lift.
A network token and a vault aren't fighting for the same job. Where you store the token decides how much of its value you actually keep. An independent vault gets you the auth lift and the portability in one package. Stash the same token inside your processor's vault and the lift still shows up on your reports, but the routing freedom and the negotiating leverage never make it to you. This is also why tokenization vs encryption isn't really an either-or question for your compliance scope. Encryption protects data in transit. Tokenization removes the sensitive data from your environment entirely, which is the part that actually shrinks your audit.
What network tokenization solves
Banks reissue cards all the time. If your vault has no direct line to the card networks, it doesn't find out a card was reissued until a transaction fails. By then the authorization is already gone, and if you're on a recurring billing cycle, the subscriber might be gone too. The older your card-on-file portfolio, the more this costs you.
Network tokenization fixes this because the card networks manage the credential directly. When a card gets replaced, the token updates itself and the issuer sees clean, current data on every transaction.
Spreedly's own production numbers show a 2 to 3% authorization uplift in the US. Visa puts the global figure at 4.6% for tokenized card-not-present transactions compared to raw PAN.
One Spreedly customer took their decline rate from 40% down to 5% after rolling out network tokenization across several gateways. That's an outlier result, but it shows the ceiling. Where you land depends on where you start. Businesses with a lot of cards on file for over a year tend to see the biggest jumps, because that's where the stale data does the most damage.
Why the vault matters as much as the token
A network token is only as useful as the vault holding it. Keep it inside your processor and the authorization lift still shows up, but the portability and the negotiating leverage don't follow along with it.
An independent vault removes that trade-off. Your tokens move with you as portable tokenization, so you can route across any connected gateway without re-tokenizing. Add a processor when you find a better rate, or drop one that's underperforming, without touching the rest of your stack. Launching in a new market doesn't turn into a migration project that eats your engineering roadmap for a quarter. None of that shows up on an auth rate dashboard, but it shows up the next time you're negotiating a contract renewal and the processor knows you can actually leave.
This isn't a niche problem. According to The Orchestration Advantage, a PYMNTS Intelligence report, 93% of companies rely partially or entirely on their providers to manage their own tokens. That's most of the market finding out, usually at the worst possible time, that their stored payment methods belong to someone else's infrastructure, the same siloed thinking we see across payments orchestration generally.
A tokenization decision usually comes down to one question: does the migration cost outweigh the leverage you gain from owning your own vault. For a subscription or marketplace business carrying a large card-on-file base, it typically doesn't.
What the return actually looks like
Vault independence and network tokenization pay off in four places. A calculator can run your specific numbers, but here's what belongs in the model.
Authorization lift. Cards get reissued constantly, and when your tokens stay current, the declines caused by stale credentials stop happening. Spreedly's production data shows a 2 to 3% lift in the US. At $50 million in annual processing volume, a 2% lift recovers $1 million. Scale that to $200 million and you're looking at $4 million. This is the number everyone models first, because it's the easiest lever for revenue optimization to point to.
Retry costs. Every failed transaction that gets retried costs money at the gateway level whether the retry works or not, and card networks penalize you for exceeding retry limits. Network tokenization cuts the credential staleness that causes most soft declines in the first place, so the retries stop piling up.
Interchange savings. Visa gives a 0.10% interchange reduction on card-not-present consumer credit transactions that use a network token. At $200 million in annual volume, that's $200,000 a year, recurring, with nothing else to do after setup. For ISV platforms running sub-merchants, that number multiplies across the whole base.
PCI scope. Every PAN transaction you swap for a network token is one less instance of sensitive card data moving through your environment. PCI Level 1 audits alone can run past $50,000 a year, before you count engineering hours. Fewer PAN transactions means a smaller audit scope and a more predictable compliance bill, which is exactly how tokenization works in your favor once auditors get involved.
Run your own numbers
How much weight each of these four carries depends on your transaction mix, your current auth rate, and how old your card-on-file portfolio is. A subscription business with a lot of cards over a year old is going to see a different breakdown than a DTC merchant running mostly one-time checkouts. Check in with one of our vault specialists and have them walk you through exactly
What's the difference between a gateway token and a vault token?
A gateway token comes from your payment processor and only works inside that processor's system. A vault token comes from an independent vault provider, so it travels with you across any connected gateway without needing to re-tokenize.
How much can network tokenization improve authorization rates?
Spreedly's own production data shows a 2 to 3% authorization lift in the US. Visa reports a global figure of 4.6% for tokenized card-not-present transactions compared to raw PAN.
Why does it matter where a network token is stored?
A network token stored in an independent vault gives you the authorization lift and the freedom to route across processors. The same token stored inside your processor's vault still gives you the lift, but your credentials stay locked in.










