Digital Payments – Network Tokenization

What Is Network Tokenization?

The thought behind network tokenization is to shift the processing of stored cards from card numbers (PAN) to tokens. Card details are replaced by the token and a cryptogram.

The tokens are generated by the card networks (Visa and MasterCard) when the end-user signs up for a service using a stored card. Tokens are global within the network, where Merchants, PSPs and issuers can connect to them. The merchant and PSP are provided with the token attached to a card, while the issuer is able to update the card information attached to the token. The result is a token which lives after a card expires, since the card information connected to it is updated seamlessly by the issuer.

This will improve the user experience for the end-user, as they no longer have to take action when their card reaches the expiry date. As the card connected to the token will be valid at all times, this will reduce churn and improve approval rates for merchants and PSPs as well, especially for subscription and one-click services.

How It Works

This functionality is available through both our payment order implementations and card implementation for recurring transactions, one-click and unscheduled purchases. We strongly recommend paymentOrder to ensure that you get access to capabilities coming in later deliveries, such as card art, shared tokens and notifications. It is only available with Swedbank Pay as acquirer for the time being.

When you choose to add this functionality, we activate Network Tokenization for your merchant account and initiate onboarding towards VISA and Mastercard. Once we get onboarding confirmation from Visa and Mastercard, Network Tokenization will be enabled and used for future card storage and stored card processing. Cards that have previously been stored with card details only, will be network tokenized next time they are charged.

Once the setup is completed, the transactions themselves run as normal unscheduled, one-click or recurring purchases. The difference is that Network Tokenization replaces the card number behind the token.

Do you want to try it out? Test cards and a guide can is in the test data section.

Recommendations To You As A Merchant

If you are displaying the “last four” digits of the card number for your customers stored cards, we highly recommend refreshing these numbers when a card has been updated/replaced by the issuer. This would help the customer to understand that the new and valid card is stored. It is also recommended that you add some information that the card has been updated automatically by the issuer. Retrieving the updated card information is done using payerOwnedTokens, and should be done when the end-user logs in, goes to “My cards” or at a similar point that makes sense in your portal.

The GET request to retrieve these should look similar to this.

GET Tokens Request

1
2
3
4

GET /psp/paymentorders/payerownedtokens/<payerReference> HTTP/1.1
Host: api.externalintegration.payex.com
Authorization: Bearer <AccessToken>
Content-Type: application/json;version=3.1/3.0/2.0      // Version optional for 3.0 and 2.0 

GET Tokens Response

1
2
3

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8; version=3.1/3.0/2.0
api-supported-versions: 3.1/3.0/2.0

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

{
  "payerOwnedTokens": {
        "id": "/psp/paymentorders/payerownedtokens/{payerReference}",
        "payerReference": "{payerReference}",
        "tokens": [
            {
                "token": "{token}",
                "tokenType": "Unscheduled",
                "instrument": "CreditCard",
                "instrumentDisplayName": "492500******0004",
                "correlationId": "e2f06785-805d-4605-bf40-426a725d313d",
                "instrumentParameters": {
                    "expiryDate": "12/2025",
                    "cardBrand": "Visa",
                    "lastFourPan": "0004",
                    "lastFourDPan": "8188",
                    "issuerName": "BankName"
                },
                "operations": [
                    {
                        "method": "PATCH",
                        "href": "https://api.internaltest.payex.com/psp/paymentorders/unscheduledtokens/e2f06785-805d-4605-bf40-426a725d313d",
                        "rel": "delete-unscheduledtokens",
                        "contentType": "application/json"
                    }
                ]
            }
        ]
    },
    "operations": [
        {
            "method": "PATCH",
            "href": "https://api.internaltest.payex.com/psp/paymentorders/payerOwnedPaymentTokens/{payerReference}",
            "rel": "delete-payerownedtokens",
            "contentType": "application/json"
        }
    ]
}

Field	Type	Description
`instrumentParameters`	`integer`	A list of additional information connected to the token. Depending on the instrument, it can e.g. be `expiryDate`, `cardBrand`, `email`, `msisdn` or `zipCode`.
`expiryDate`	`string`	The expiry date of the card currently connected to the network token.
`cardBrand`	`string`	The brand of the card currently connected to the network token.
`lastFourPan`	`string`	The last four digits of the PAN connected to the network token.
`lastFourDpan`	`string`	The last four digits of the DPAN (Network Token).
`issuerName`	`string`	The name of the issuer.

We advise you to implement automatic deletion of tokens when end-users choose to end the service with the you. This is to avoid unnecessary cost on your end, as you are invoiced monthly for each active token.
Please note the new field maskedDpan is present when using Network Tokenization. DPAN is the Network token representing the card and thus, maskedDpan is a masked version of the network token. It will only appear if the card is tokenized by Visa or Mastercard. The end-user will not normally know what maskedDpan is or that it’s being used, but you as a merchant need to keep track of it. See the Paid resource for cards.