Skip to main content

Overview: Account Updater

Supported Card schemes

Supported Card Schemes

  • VISA (VISA Token Service)
  • Mastercard (Mastercard Digital Enablement Service / Mastercard Digital Enablement Service for Merchants).

Account Updater help merchants and businesses keep their customers' payment card information up to date. It's especially useful for recurring payments, subscription-based services, and businesses that store customers' card information for future transactions.

The primary purpose of the Account Updater is to reduce payment disruptions caused by expired or replaced credit cards.

How to test

The Integrator needs to apply for a test account:

When the test account is in place, the Integrator must set up API keys and an endpoint to receive push notifications upon token updates

To test the solution Cardtokens provide test-API-keys, which works combined with a range of selected test-PANs.

Functions available

For Cardtokens to provide the SaaS solution to the Integrator, the following functions must / can be implemented:

  • Real-Time Validate PAN: Validates if the PAN is still valid or if a new PAN has been issued. The reply is made instantly.

  • Subscribe PAN to watchlist: Adds a list of PANs to the watchlist. Reply for obsolete PANs is made by asynchronous notification.

  • Unsubscribe PAN from watchlist using panid: Unsubscribes a PAN from the watchlist using the Cardtokens generated panid.

  • Get list of panids with customreference: Get a list of Cardtokens panids matching a custom reference.

  • Card update notification: An HTTP POST notification is transmitted from Cardtokens to the Integrator with information about a PAN, which is updated.

Payload encryption (MLE)

All communication to and from Cardtokens is made using REST over HTTPS as transport protocol. To increase the security level all payload data is encrypted using Message Level Encryption (MLE). That means in order to communicate with the Cardtokens cardupdater API public and private RSA keys must be negotiaged. That means two key-pairs must be exchanged:

  • Key 1 generated by the client, where the public key is be send securely to Cardtokens.
  • Key 2 generated by Cardtokens where the public key is send securely to the client.

Payload to Cardtokens must be encrypted using the Key1 private key. It will be decrypted by Cardtokens using Key1 public key. Payload from Cardtokens is encrypted by Cardtokens by Key2 public key and can be decrypted by the client using Key2 private key.

Card update API

The card update API is split into two flows—one for real-time PAN validation and another for issuer-initiated notifications.

Method 1: Real-time validation

The real-time validation flow is used to get a PAN's current or updated information.

Method 1: Real-time validation

  1. The Integrator calls the Cardtokens real-time API with a single PAN request.
  2. Cardtokens looks up scheme of the PAN.
  3. Cardtokens validates the PAN up against the card scheme.
  4. The card scheme responds with real-time PAN information.
  5. Cardtokens returns to the Integrator with the real-time status of the PAN.

Method 2: Watchlist

This flow is used by large merchants with a large subscription base (COF) that they want to keep updated. By adding the cards to the watchlist, the merchant will get notified each time the issuer has an update.

Method 2: Watchlist

  1. The Integrator creates a list of PANs to be added to the watchlist and sends the list to Cardtokens.
  2. Cardtokens adds the PANs to the scheme watchlist.
  3. Cardtokens returns to the Integrator with a reference of each PAN stored in the watchlist.
  4. A card is updated (with new, deleted, etc.). The card issuer notifies the card scheme with the update.
  5. The card scheme notifies Cardtokens that a change has been made to the card.
  6. Cardtokens notifies the Integrator that a PAN has been updated.
  7. If / When the PAN is to be unsubscribed from the watchlist, the Integrator sends a request to Cardtokens.
  8. Cardtokens unsubscribes the PAN from the card scheme watchlist.

Terms and Definitions

VAUVISA Account Updater
ABUAccount Billing Updater (Mastercard)
PSPPayment Service Provider – Providers who offer an online terminal opened from the merchant website to process payments online within the PCI-DSS scope.
IntegratorA 3rd party PSP, acquirer, merchant how is PCI DSS compliance.
Card schemePayment networks linked to payment cards, such as debit or credit cards. Visa and Mastercard are some of the major card schemes. Also referred to as “Scheme”.
COFCard On File. Meaning authorizations sourced from PANs are stored locally. These types of authorizations are normally recurring.
SaaSSoftware as a Service. Typically named for hosted services, which are easy to integrate into existing solutions.
PANPrimary Account Number. E.g., card number.
CardtokensReferred to Cardtokens Aps and
CHDCard holder data. Information such as card number, name, expiry date, security code, etc
CITCard holder initialized transaction
MITMerchant initialized transaction (COF)
Merchant IDMerchant Identification Number is a unique identification number attached to a business. Every merchant will receive a unique merchant ID when they are onboarded.