Network Tokenization

A network token (also known as card scheme token) is a token generated by network tokenization service providers such as Mastercard Digital Enablement Service (MDES), in exchange for the payer's Primary Account Number (PAN). You or your payment service provider (on your behalf) can request existing account PANs on file to be tokenized and each PAN to be replaced with a unique network token (subject to issuer participation in the network tokenization service and the enabled card account ranges). These tokens can be used for e-commerce and in-app transactions similar to account PANs.

The Mastercard Payment Gateway currently supports processing network tokens obtained from the following network tokenization service providers:

  • Mastercard Digital Enablement Service (MDES)
  • Visa Token Service (VTS)

Key Benefits

  • Provides better security for payment information using dynamic cryptograms
  • Allows you to keep card information up to date
  • Can potentially deliver higher approval rates
  • Provides enhanced user experience

Obtaining Network Tokens

The Mastercard Payment Gateway currently supports network tokens obtained by directly integrating to the network tokenization service provider or via the gateway tokenization feature.

Via the Network Tokenization Service

You can obtain a network token by integrating directly to the network tokenization service provider and use the token details to process a payment via the Mastercard Payment Gateway.

Using a Network Token in a Transaction Request

In addition to the standard fields, provide the following fields in an Authorization/Pay request to process payments using network tokens issued by the network tokenization service providers.

  • sourceOfFunds.type=SCHEME_TOKEN: Enables the gateway to identify the source of fund provided in the request as a network token. MDES and VTS are supported from API v51 and API v53 respectively.
  • sourceOfFunds.provided.card.number: The network token. Supply the value for the MDES "Token PAN" or the VTS "Token".
    If you are storing the network token on file before providing it in the Authorization/Pay request, set sourceOfFunds.provided.card.storedOnFile=STORED in the request. For more information, see cardholder and merchant-initiated transactions.
  • sourceOfFunds.provided.card.expiry: The network token expiry.
  • sourceOfFunds.provided.card.devicePayment.3DSecure.onlinePaymentCryptogram: Use the value directly from the decrypted transaction credentials. Supply the MDES UCAF cryptogram (de48se43Data) or the VTS TAVV cryptogram.
  • sourceOfFunds.provided.card.devicePayment.3DSecure.eciIndicator: The Electronic Commerce Indicator as issued by the tokenization service. This field is mandatory for network tokens obtained from VTS.
  • sourceOfFunds.provided.card.securityCode: The token verification code if issued by the tokenization service. Supply the MDES Dynamic Token Verification Code (DTVC) or the VTS Dynamic Token Verification Value (DTVV).
  • transaction.source: Set this to "INTERNET" or "MERCHANT" depending on whether it's a cardholder-initiated or a merchant-initiated transaction.

Via Gateway Tokenization

If you are a merchant enabled for gateway tokenization, then your payment service provider can also enable network tokenization on your merchant profile. When enabled, any request to the gateway for a gateway token will also generate a corresponding network token. The Authorization/Pay request will use the network token if available else the Funding PAN (FPAN) stored against the gateway token will be used.

Network tokenization will also be attempted for any applicable cards already stored in the gateway token repository.

When you delete a gateway token, the corresponding network token is automatically deleted on the tokenization service.

Transaction Response

When a network token is provided in the Authorization/Pay request, the Retrieve Transaction response will return the following:

  • sourceOfFunds.provided.card.deviceSpecificNumber: The network token from MDES or VTS. MDES and VTS call it "Token PAN" and "Token" respectively.
  • sourceOfFunds.provided.card.number: The masked FPAN (Funding PAN), where returned by the acquirer.
  • sourceOfFunds.type=SCHEME_TOKEN if a network token was used in the Authorization/Pay transaction.

3DS Authentication

The gateway can process network tokens in the Check 3DS Enrollment request. For more information, see Check 3DS Enrollment.

If you have authenticated the payer externally using a network token, you can pass information about the authentication in the authentication parameter group of the Pay or Authorize operation. For more information, see Submit a Pre-Authenticated Payment Operation.

Cardholder-initiated and Merchant-initiated Transactions

The gateway allows you to use network tokens stored on file to perform cardholder-initiated and merchant-initiated transactions.

Testing Network Token Integration

You can test your integration with the gateway in production using your test merchant profile and a supported network token (see table below).

Token Provider Token
Token Expiry
Cryptogram ECI Indicator
MDES 5204 2477 5000 1497 11/2022 <any> -
VTS 4111 1111 1111 1111 06/2029 <any> 05

If the transactions are either APPROVED or DECLINED then the gateway was able to process your test transactions successfully.

Copyright © 2020 Mastercard