INTEGRATION

Getting Started

TRANSACTION ASSURANCE

Network Tokenization

INTEGRATION

Network Tokenization

The network tokenization endpoints provide a gateway into Mastercard Secure Card on File (SCOF) and Visa Token Service (VTS), allowing merchants to safely store a digital version of their customers' cards. Once stored, the endpoints also provide a way to manage tokens and receive updates to process an uninterrupted transaction sequence.

To use the Network Tokenization endpoints, a merchant must first be enrolled for SCOF and VTS, which can be done by submitting a Create Enrollment request.

Configure an event subscription or “tokens” to fully utilize the token service functionality. This will allow you to receive update notifications on the tokens and ensure you have the most up-to-date information for processing transactions.

The entire lifecycle for Network Tokenization consists of the following steps:

  • Enroll Merchant

  • Create a Token

  • Create a Token Cryptogram

  • Token Transaction Processing

Create a Token

When enrollment is active, you can create tokens by submitting the required card data to the Create Token endpoint. This is an asynchronous process where we allow service users to create network tokens in bulk. Providing the CVC data is optional, but we highly recommend doing so, as this can positively impact issuer response. Furthermore, a PAN can be tokenized once per merchant.

Get a Token

Use the Get Token endpoint to fetch the created token; the result contains mainly metadata about the token. The network token can process transactions as soon as the status is active. From that moment, transactions can be processed with the token. Important to mention is that the version increments when lifecycle updates for the token are received, for example:

  • The issuer has changed the status of the token.

  • The token information changes (e.g., due to an underlying PAN expiration date update).

  • The card metadata changes (e.g., when the card art changes).

Get Token Data

The Get Token Data endpoint provides the actual network token credentials that can be used instead of the physical PAN information for processing a charge. The token data is interoperable across the card network ecosystem, meaning that acquirers and issuers should accept these network tokens as substitutes for physical PANs. The Payment Account Reference is also provided as a part of the payload on this endpoint, as this reference allows you to ‘link’ various tokens that link to a specific PAN.

When token data is updated, we notify you through the event subscription.

Create a Token Cryptogram

In addition to the token data, the token cryptogram can be obtained by creating a token cryptogram to validate and authenticate the network token for processing a charge. We cache token cryptograms to make sure we limit the latency impact in a check-out flow for a charge and automatically update the token cryptogram we cache as soon as we receive a token refresh notification. The response from the endpoint will contain the following:

When processing transactions with the token, it is essential to know when to provide a tokenCryptogram for the first transaction in a sequence. To help with this, we offer the lastTokenRefresh parameter to allow you to determine whether you need a new tokenCryptogram for the subsequent MIT transaction.

The instructions for providing a cryptogram are as follows;

  • For all standard purchase charges with the network token, a new tokenCryptogram needs to be provided.

  • The tokenCryptogram must be provided for all first charges that use the network token in a recurring sequence.

  • For all subsequent merchant-initiated charges after a token refresh, a new tokenCryptogram needs to be provided.

Example 1. When a merchant decides to safely store the cardholder data as a network token to process “one-click” charges, each transaction will need a new tokenCryptogram submitted for authorization.

Example 2. After successfully authorizing an initial charge of a sequence with the PAN, the first subsequent MIT transaction uses the tokenData instead of the PAN. A tokenCryptogram needs to be submitted for authorization. When, after, for example, three years of subsequent charges, a token-refresh notification is received, the first subsequent transaction after that notification needs a tokenCryptogram to be provided.