Skip to main content

Overview: Network Tokenization

Supported Card schemes

Supported Card Schemes

  • VISA (VISA Token Service)
  • Mastercard (Mastercard Digital Enablement Service / Mastercard Digital Enablement Service for Merchants).
  • (American Express) Coming early 2024

Network tokenization is is designed to enhance the security of sensitive payment card data, such as credit card or debit card information, by replacing the actual card details with a unique token.

This token acts as a surrogate for the card data and is used in various stages of a transaction process, such as authorization, settlement, and storage.

How to test

The integrator needs to apply for a test account:

When the test account is in place, the integrator must set up API keys and an endpoint to receive push notifications upon token updates.

Before you can perform a test, a test-API-key must be created. When creating tokens using this test-API-key, the following test PANs can be used only:


  • 4111 1111 4555 1142
  • 4293 1891 0000 0008
  • 4166 6766 6766 6746
  • 4646 4646 4646 4644
  • 4000 0600 0000 0006


  • 5555 3412 4444 1115
  • 5577 0000 5577 0004
  • 5555 5555 5555 4444
  • 2222 4000 5000 0009
  • 2222 4000 3000 0004

When requesting using the test PANs, the expiry date must be valid (unexpired).

Functions available

For Cardtokens to provide the SaaS solution to the integrator, the following functions must / can be implemented:

Onboarding: Function to create a merchant on the VTS/MDES platform

Create token: Creates a network token on behalf of CHD and returns the token to the requester (acquirer, PSP, merchant).

Create cryptogram / get payment data: Must be initiated when authorization is to be made by PSP.

Get token status: This method is used to request the status of an existing token.

Delete token: When a token is no longer needed, it must be deleted by this function.

Get card art: It is used to request the graphical details of a payment card associated with a token. The card art is then notified to the requester using configured card art notification URL.

Token notification: When the issuer updates a token, an HTTP GET notification is transmitted from Cardtokens to 3rd parties.

Merchant onboarded notification: An HTTP GET notification is transmitted from Cardtokens to 3rd parties when a merchant is fully enrolled within the scheme environments.

Terms and Definitions

VTSVISA Token Service
MDESMastercard Digital Enablement Service
M4MMDES for Merchants
PSPPayment Service Provider – Providers who offer an online terminal opened from the merchant website to process payments online within the PCI-DSS scope.
IntegratorA 3rd party PSP, acquirer, merchant, which is PCI DSS compliance.
Card schemePayment networks linked to payment cards, such as debit or credit cards. Visa and Mastercard are some of the major card schemes.
TokenAlso refers to network tokens issued by the card schemes.
Token eventIs an event on behalf of a token transmitted from a cardholder/merchant toward the card scheme.
Token notificationIs a notification from the card scheme transmitted to the cardholder/merchant.
PSPPayment Service Provider. A service provider that services merchants by hosted payment solutions.
COFCard On File. Meaning authorizations sourced from PANs are stored locally. These types of authorizations are normally recurring.
SaaSSoftware as a Service. Typically named for hosted services, which are easy to integrate into existing solutions.
PANPrimary Account Number. E.g., card number.
CardtokensReferred to Cardtokens Aps and
CHDCardholder data. Information such as card number, expiry date, security code, cardholder name, etc.
CITCardholder-initiated transactions (CIT) are payments initiated and authorized by a cardholder by entering card details or using stored credentials and payment details - transactions where a cardholder takes an active part.
MITMerchant-initiated transactions (MIT) are payments undertaken by businesses with a mandate from a cardholder. That is regular recurring payments (COF), where the cardholder has stored the card details on a website (at a payment service provider). The merchant then performs the authorization using their connected payment service provider.
Merchant IDMerchant Identification Number is a unique identification number attached to a business. Every merchant will receive a unique merchant ID when they are onboarded.
CryptogramA cryptogram is network data generated before actual CIT authorization request for a token transaction is made. The cryptogram itself is encrypted and can only be read by the token service and the issuer responsible. All other actors, on the other hand, are not able to subsequently change the cryptogram. The cryptogram is transmitted in the CIT authorization.