Overview: Account Updater
- VISA (VISA Token Service)
- Mastercard (Mastercard Digital Enablement Service / Mastercard Digital Enablement Service for Merchants).
Account Updater help merchants and businesses keep their customers' payment card information up to date. It's especially useful for recurring payments, subscription-based services, and businesses that store customers' card information for future transactions.
The primary purpose of the Account Updater is to reduce payment disruptions caused by expired or replaced credit cards.
How to test​
The Integrator needs to apply for a test account: https://app.cardtokens.io/signup
When the test account is in place, the Integrator must set up API keys and an endpoint to receive push notifications upon token updates
To test the solution Cardtokens provide test-API-keys, which works combined with a range of selected test-PANs.
Functions available​
For Cardtokens to provide the SaaS solution to the Integrator, the following functions must / can be implemented:
Real-Time Validate PAN: Validates if the PAN is still valid or if a new PAN has been issued. The reply is made instantly.
Subscribe PAN to watchlist: Adds a list of PANs to the watchlist. Reply for obsolete PANs is made by asynchronous notification.
Unsubscribe PAN from watchlist using panid: Unsubscribes a PAN from the watchlist using the Cardtokens generated panid.
Get list of panids with customreference: Get a list of Cardtokens panids matching a custom reference.
Card update notification: An HTTP POST notification is transmitted from Cardtokens to the Integrator with information about a PAN, which is updated.
Payload encryption (MLE)​
All communication to and from Cardtokens is made using REST over HTTPS as transport protocol. To increase the security level all payload data is encrypted using Message Level Encryption (MLE). That means in order to communicate with the Cardtokens cardupdater API public and private RSA keys must be negotiaged. That means two key-pairs must be exchanged:
- Key 1 generated by the client, where the public key is be send securely to Cardtokens.
- Key 2 generated by Cardtokens where the public key is send securely to the client.
Payload to Cardtokens must be encrypted using the Key1 private key. It will be decrypted by Cardtokens using Key1 public key. Payload from Cardtokens is encrypted by Cardtokens by Key2 public key and can be decrypted by the client using Key2 private key.
Card update API​
The card update API is split into two flows—one for real-time PAN validation and another for issuer-initiated notifications.
Method 1: Real-time validation​
The real-time validation flow is used to get a PAN's current or updated information.
- The Integrator calls the Cardtokens real-time API with a single PAN request.
- Cardtokens looks up scheme of the PAN.
- Cardtokens validates the PAN up against the card scheme.
- The card scheme responds with real-time PAN information.
- Cardtokens returns to the Integrator with the real-time status of the PAN.
Method 2: Watchlist​
This flow is used by large merchants with a large subscription base (COF) that they want to keep updated. By adding the cards to the watchlist, the merchant will get notified each time the issuer has an update.
- The Integrator creates a list of PANs to be added to the watchlist and sends the list to Cardtokens.
- Cardtokens adds the PANs to the scheme watchlist.
- Cardtokens returns to the Integrator with a reference of each PAN stored in the watchlist.
- A card is updated (with new, deleted, etc.). The card issuer notifies the card scheme with the update.
- The card scheme notifies Cardtokens that a change has been made to the card.
- Cardtokens notifies the Integrator that a PAN has been updated.
- If / When the PAN is to be unsubscribed from the watchlist, the Integrator sends a request to Cardtokens.
- Cardtokens unsubscribes the PAN from the card scheme watchlist.
Terms and Definitions​
Term | Definition |
---|---|
VAU | VISA Account Updater |
ABU | Account Billing Updater (Mastercard) |
PSP | Payment Service Provider – Providers who offer an online terminal opened from the merchant website to process payments online within the PCI-DSS scope. |
Integrator | A 3rd party PSP, acquirer, merchant how is PCI DSS compliance. |
Card scheme | Payment networks linked to payment cards, such as debit or credit cards. Visa and Mastercard are some of the major card schemes. Also referred to as “Scheme”. |
COF | Card On File. Meaning authorizations sourced from PANs are stored locally. These types of authorizations are normally recurring. |
SaaS | Software as a Service. Typically named for hosted services, which are easy to integrate into existing solutions. |
PAN | Primary Account Number. E.g., card number. |
Cardtokens | Referred to Cardtokens Aps and www.cardtokens.io |
CHD | Card holder data. Information such as card number, name, expiry date, security code, etc |
CIT | Card holder initialized transaction |
MIT | Merchant initialized transaction (COF) |
Merchant ID | Merchant Identification Number is a unique identification number attached to a business. Every merchant will receive a unique merchant ID when they are onboarded. |