home

Zuora Payments

Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies
Zuora BillingZuora PaymentsZuora PlatformZuora CPQZephrZuora RevenueAccounts ReceivableRelease NotesBasicsEntitlementsSupport and policies

Welcome to Zuora Product Documentation

Explore our rich library of product information

Show Contents

thumbnailZuora Payments

Process payments

Network Tokenization

Network tokenization enhances the security and efficiency of processing credit card information by using network tokens instead of relying solely on primary account numbers and gateway-specific identifiers.

Network tokenization improves how Zuora processes and stores credit card information for recurring and stored‑credential payments. Instead of relying only on the primary account number (PAN) and gateway‑specific identifiers, Zuora now uses network tokens issued by the card networks.

How payments work without network tokenization

Without network tokenization, a typical credit card payment is processed as follows:

  • The payer enters their card details and Zuora collects the PAN (16‑digit card number) and other card information. Zuora securely stores the raw PAN as part of the payment method. Zuora uses the PAN to process a transaction with the configured payment gateway.
  • After processing the transaction using the 16‑digit PAN, the gateway:
    • Stores the PAN in its own vault.
    • Returns a gateway‑specific payment method identifier to Zuora.
  • Although this identifier is often informally called a gateway token, it is not a 16‑digit card number. It is a gateway‑generated ID that uniquely identifies the stored card within that gateway.
  • Zuora now stores:
    • The raw PAN collected from the payer.
    • The gateway payment method identifier returned by the gateway.

For scheduled or unscheduled recurring transactions, Zuora sends the stored gateway identifier to the gateway. The gateway recognizes it as a stored payment method and processes the transaction.

If the gateway responds that the payment method ID is invalid:

  • Zuora falls back to using the stored PAN.
  • Zuora sends the 16‑digit PAN to the gateway to attempt the transaction again.

In this pre‑network‑tokenization model, Zuora has two ways to initiate a recurring transaction for the same payment method:

  • The gateway payment method identifier (preferred).
  • The raw PAN (fallback).

What is a network token?

A network token is a 16 digit surrogate card number issued by the card network (such as Visa, Mastercard, Amex, or Discover). It is a secure proxy for the underlying PAN.

Key properties of the network token include the following:

  • It is a surrogate or proxy for the PAN.

  • It is aligned to a particular merchant:

    • Only the merchant that requested the network token is authorized to use it.
    • If the token is compromised, it cannot be arbitrarily used by other merchants.
  • It is designed to be more secure than using the raw PAN for subsequent transactions.
  • Zuora receives the updated life cycle events against the provisioned token ensuring account information is updated and helps prevent the churn.

Last updated: February 16, 2026