Tokenization

Tokenization - Technical Overview

Merchants wishing to accept multiple payments from a customer’s bank card, without PCI DSS burden of requesting and retaining the card number for every transaction, have the option of submitting encrypted data (a ‘token’ or a ‘reference’) associated with the customer’s card number or previously authorised transaction via MasterCard Payment Gateway Services Payment and Card Tokenization solutions.

 Tokenization solution enables merchants to convert Bank Card numbers into tokens either during a Bank Card authorisation (as a bi-product), or to migrate card data to MasterCard Payment Gateway Services in return for a unique 40 character alphanumeric token (card tokenization) or a 16 numeric digit MasterCard Payment Gateway Services reference number (payment tokenization). 

The token or reference number can then be submitted for all subsequent payment requests, thus removing the burden of storing sensitive card data internally and reducing PCI DSS compliance requirements.

Easily integrated with any existing Merchant website, call centre or mobile app; both tokenization solutions can be used in conjunction with MasterCard Payment Gateway Services Fraud Prevention tools, 3-D Secure and MasterCard Payment Gateway Services Hosted Pages Solutions. Both methods can be added as an extension to an existing MasterCard Payment Gateway Services integration, without disrupting the merchant’s payments workflow.

MasterCard Payment Gateway Services offers two options within the Tokenization Solution, of which the key product feature differences between each are highlighted below:

 

Payment Tokenization

Card Tokenization

Payments tokenized as a bi-product of processing successful transactions

Cards tokenized as a bi-product of processing successful transactions or via a standalone tokenization process without authorisation

1. Functionality

On a successful authorisation a unique transaction reference is allocated to each transaction and returned to the merchant.

The reference can be used in place of the card number with the merchant only needing to capture the card security code (CVV) and expiry date to authorise subsequent transactions. 3-D Secure is compatible with payments initiated using reference numbers.

References for subsequent payments are only obtained as a bi-product of processing successful transactions.

The reference is unique to the transaction not the card number

1. Functionality

If configured for the tokenization service, a merchant will receive a token in the response to an authorisation request. Only invalid transactions will not receive a token in which, case an error message is sent to the Merchant.

The token can be used in place of the card number with the merchant only required to capture the card security code (CVV) and expiry date to authorise subsequent transactions. 3-D Secure is compatible with payments initiated using tokens.

Tokens for subsequent payments are obtained as a bi-product of transaction processing or via a standalone tokenization process during which a token is generated but no authorisation occurs, enabling Merchants to batch send card numbers for token generation.

The token is unique to the card number not the transaction

2. Pre-set Expiry Date

Each reference has a pre-set expiry date of 13 months. Merchants receive a new reference in response to each transaction and should always store the last reference for processing the next payment.

2. Pre- set Expiry Date

Each token has a pre-set expiry date of 48 months, which is reset during each token use.

3. MasterCard Payment Gateway Services Reporting

MasterCard Payment Gateway Services reference numbers are accessible in the MasterCard Payment Gateway Services reporting system.

3. MasterCard Payment Gateway Services Reporting

Tokens are visible in the MasterCard Payment Gateway Services reporting system in addition to the masked card number

 

Payments Flow


Dependent on the action the Merchant wishes to take, the payment flow experienced for both solutions will differ. Possible examples are explained below:

 

1. Obtaining and storing a reference during the payment process

i) Merchant submits a standard authorisation request, to the MasterCard Payment Gateway.

ii) MasterCard Payment Gateway Services processes the transaction request and communicates with the Merchant’s acquiring bank for authorisation

iii) If successful, an auth code and 16 digit reference is returned in the authorisation response to the Merchant.

iv) The reference may be used within a 13 month period to process a subsequent transaction.

1. Obtaining and storing a token during the payment process

i) Merchant submits a standard authorisation request to the MasterCard Payment Gateway 

ii) MasterCard Payment Gateway Services processes the transaction request and communicates with the Merchant’s acquiring bank for authorisation

iii) As long as the authorisation request is valid a 40 character alphanumeric token will be returned in the authorisation response.

iv) The token must be used within a 48 month period; otherwise the token will expire and the merchant must capture new card details from the cardholder in order to process a payment.  



2. Transaction using a MasterCard Payment Gateway Services Reference

i) Although the transaction process is the same as above, instead of sending the customer’s card details to the MasterCard Payment Gateway, the Merchant submits a simple XML request containing theMasterCard Payment Gateway Services reference numberassociated to the previous transaction, along with the other card information (security code, amount, reference etc).

ii) The MasterCard Payment Gateway locates the Card Number from the previous transaction and submits an authorisation request to the Merchants’ acquiring bank.

iii) On receipt of a successful transaction, the authorisation code, along with a new MasterCard Payment Gateway Services reference number, is then passed on to the Merchant to store and use within a 13 month period.

2. Transaction using a token

i) Using a previously generated token, the merchant submits an authorisation request to the MasterCard Payment Gateway including token and card expiry date. MasterCard Payment Gateway Services will validate the token has been generated from a previous transaction or tokenized request.  

ii) Once the token is confirmed, the MasterCard Payment Gateway locates the Card Numberassociated to the token and submits an authorisation request to the Merchants’ acquiring bank. 
 
iii) The transaction is then processed as usual and the funds are settled in the acquiring bank. 
 

3. Requesting a reference without authorising a  payment

References used for the purposes of an authorisation request can only be obtained as a bi-product of the transaction authorisation process.

 

3. Requesting a token without authorising a payment

i) If a Merchant wishes to tokenize a card number without debiting the card, the Merchant need only submit a tokenization request containing the card number.

ii) Once the tokenization request is received and has been validated by the MasterCard Payment Gateway, the token is then generated, stored, and returned to the merchant to store for use within a 48 month period.

Suitable for merchants wishing to clear internal systems of sensitive card numbers were these were traditionally stored.