Overview: Network Tokenization
- VISA (VISA Token Service)
- Mastercard (Mastercard Digital Enablement Service / Mastercard Digital Enablement Service for Merchants).
- (American Express) Coming early 2024
Network tokenization is is designed to enhance the security of sensitive payment card data, such as credit card or debit card information, by replacing the actual card details with a unique token.
This token acts as a surrogate for the card data and is used in various stages of a transaction process, such as authorization, settlement, and storage.
How to test​
The integrator needs to apply for a test account: https://app.cardtokens.io/signup
When the test account is in place, the integrator must set up API keys and an endpoint to receive push notifications upon token updates.
Before you can perform a test, a test-API-key must be created. When creating tokens using this test-API-key, the following test PANs can be used only:
VISA​
4111 1111 4555 11424293 1891 0000 00084166 6766 6766 67464646 4646 4646 46444000 0600 0000 0006
Mastercard​
5555 3412 4444 11155577 0000 5577 00045555 5555 5555 44442222 4000 5000 00092222 4000 3000 0004
When requesting using the test PANs, the expiry date must be valid (unexpired).
Functions available​
For Cardtokens to provide the SaaS solution to the integrator, the following functions must / can be implemented:
Onboarding: Function to create a merchant on the VTS/MDES platform
Create token: Creates a network token on behalf of CHD and returns the token to the requester (acquirer, PSP, merchant).
Create cryptogram / get payment data: Must be initiated when authorization is to be made by PSP.
Get token status: This method is used to request the status of an existing token.
Delete token: When a token is no longer needed, it must be deleted by this function.
Get card art: It is used to request the graphical details of a payment card associated with a token. The card art is then notified to the requester using configured card art notification URL.
Token notification: When the issuer updates a token, an HTTP GET notification is transmitted from Cardtokens to 3rd parties.
Merchant onboarded notification: An HTTP GET notification is transmitted from Cardtokens to 3rd parties when a merchant is fully enrolled within the scheme environments.
Terms and Definitions​
| Term | Definition |
|---|---|
| VTS | VISA Token Service |
| MDES | Mastercard Digital Enablement Service |
| M4M | MDES for Merchants |
| PSP | Payment Service Provider – Providers who offer an online terminal opened from the merchant website to process payments online within the PCI-DSS scope. |
| Integrator | A 3rd party PSP, acquirer, merchant, which is PCI DSS compliance. |
| Card scheme | Payment networks linked to payment cards, such as debit or credit cards. Visa and Mastercard are some of the major card schemes. |
| Token | Also refers to network tokens issued by the card schemes. |
| Token event | Is an event on behalf of a token transmitted from a cardholder/merchant toward the card scheme. |
| Token notification | Is a notification from the card scheme transmitted to the cardholder/merchant. |
| PSP | Payment Service Provider. A service provider that services merchants by hosted payment solutions. |
| COF | Card On File. Meaning authorizations sourced from PANs are stored locally. These types of authorizations are normally recurring. |
| SaaS | Software as a Service. Typically named for hosted services, which are easy to integrate into existing solutions. |
| PAN | Primary Account Number. E.g., card number. |
| Cardtokens | Referred to Cardtokens Aps and www.cardtokens.io |
| CHD | Cardholder data. Information such as card number, expiry date, security code, cardholder name, etc. |
| CIT | Cardholder-initiated transactions (CIT) are payments initiated and authorized by a cardholder by entering card details or using stored credentials and payment details - transactions where a cardholder takes an active part. |
| MIT | Merchant-initiated transactions (MIT) are payments undertaken by businesses with a mandate from a cardholder. That is regular recurring payments (COF), where the cardholder has stored the card details on a website (at a payment service provider). The merchant then performs the authorization using their connected payment service provider. |
| Merchant ID | Merchant Identification Number is a unique identification number attached to a business. Every merchant will receive a unique merchant ID when they are onboarded. |
| Cryptogram | A cryptogram is network data generated before actual CIT authorization request for a token transaction is made. The cryptogram itself is encrypted and can only be read by the token service and the issuer responsible. All other actors, on the other hand, are not able to subsequently change the cryptogram. The cryptogram is transmitted in the CIT authorization. |
