Integration Types
Other Features
Card Payments
Mobile Wallets
Alternative Payment Methods
Resources
A network token, also known as a card scheme token, is a token generated by the network tokenization service providers, such as Mastercard Digital Enablement Service (MDES), in exchange for the payer's Primary Account Number (PAN).
You or your payment service provider can request the network tokenization service provider to tokenize the existing account PANs on file and replace each PAN with a unique network token.
This is subject to issuer participation in the network tokenization service and the enabled card account ranges. You can use these tokens for e-commerce and in-app transactions like account PANs.
These tokens are supported for the following purpose.
Integration Methods | Payment methods | Operations |
---|---|---|
In the Hosted Checkout, neither the payer nor the merchant can submit a network token directly. However, the merchant can gateway-tokenize a card obtained through the Hosted Checkout, which can lead to a network token that the gateway generates.
|
|
In network token payments:
|
Network tokenization provides the following benefits.
The Mastercard Gateway currently supports processing network tokens obtained from the following network tokenization service providers:
To view examples of the API requests and responses used in network tokenization, download the Postman collection.
You can use network tokens through the Mastercard Gateway in following ways:
When you integrate directly with the network token service provider, you must obtain the token details from the provider and provide these details to the gateway in any of the following requests to process payments:
In addition to the standard fields, provide the following fields in the request to process payments using network tokens issued by the network tokenization Service Providers.
Field name | Valid values | Description |
---|---|---|
sourceOfFunds.type | SCHEME_TOKEN
The Scheme Token, such as, MDES, VTS, and AETS are supported from API v51, v53, and v57 onwards. |
Payment method used for this payment. Enables the gateway to identify the source of funds provided in the request as a network token. |
sourceOfFunds.provided.card.number | Supply any of the following values:
|
Network token
If you are providing a network token where the credentials, that is the network token or the corresponding FPAN, are stored during a previous payment, set the sourceOfFunds.provided.card.storedOnFile = STORED in the request. Otherwise, set the value to TO_BE_STORED. For more information, see Credential on File Transactions.
|
sourceOfFunds.provided.card.expiry | - | Network token expiry |
sourceOfFunds.provided.card.devicePayment.onlinePaymentCryptogram | Supply the MDES UCAF cryptogram (de48se43Data) or the VTS TAVV cryptogram. | Cryptogram used to authenticate the transaction. Use the value directly from the decrypted transaction credentials. |
sourceOfFunds.provided.card.devicePayment.eciIndicator | - | Electronic Commerce Indicator (ECI) as issued by the tokenization service. This field is mandatory for network tokens obtained from VTS. |
sourceOfFunds.provided.card.securityCode | Provide any one from the following values:
|
Token verification code if issued by the tokenization service. |
transaction.source | For a cardholder-initiated transaction, set this field to any of the following values:
|
When a network token is provided, for example, the AUTHORIZE/PAY request, the RETRIEVE TRANSACTION response returns the following fields:
Field Name | Description |
---|---|
sourceOfFunds.type = SCHEME_TOKEN | Network token used in the transaction. |
If the acquirer returns an FPAN, the RETRIEVE TRANSACTION response returns the following fields:
Field Name | Description |
---|---|
sourceOfFunds.provided.card.number | Masked FPAN or Funding PAN. |
sourceOfFunds.provided.card.expiry | FPAN expiry. |
sourceOfFunds.provided.card.deviceSpecificNumber | Network token from MDES (Token PAN), VTS (Token), or AETS (Token). |
sourceOfFunds.provided.card.deviceSpecificExpiry | Network token expiry. |
If the acquirer does not return an FPAN, the RETRIEVE TRANSACTION response returns the following fields:
Field Name | Description |
---|---|
sourceOfFunds.provided.card.number | Fully masked value. |
sourceOfFunds.provided.card.deviceSpecificNumber | Network token from MDES (Token PAN), VTS (Token), or AETS (Token). |
sourceOfFunds.provided.card.deviceSpecificExpiry | Network token expiry. |
The gateway provides support to act as a token requestor on your behalf. If your merchant profile is enabled for gateway tokenization, your payment service provider can also enable and configure network tokenization on your merchant profile
When enabled, any request to the gateway for a gateway token also attempts to generate a corresponding network token for enabled schemes, if supported by the card issuer.
The token creation request for a gateway token returns a gateway token, and in the background, the token service provider generates a network token, asynchronously, for the FPAN that you submit while creating a gateway token.
The gateway internally stores the FPAN and network token, both of which are associated with the gateway token that the gateway returns to the merchant.
In this model, the merchant always supplies a gateway token, and based on the situation, the gateway either uses the network token, or, if not available, the Funding PAN (FPAN) stored against that gateway token.
The gateway attempts network tokenization for any applicable cards already stored in the gateway token repository. This refers to a situation where,
The gateway then automatically generates network tokens for all your existing gateway tokens.
When you delete a gateway token, the corresponding network token is automatically deleted in the gateway and with the network token service provider.
The token provided in the request is marked as unusable. The card details stored against the token must be updated before they can be used, because the gateway has been informed that the card details are no longer valid.
To keep your records up to date, you can retrieve the masked FPAN details of the updated FPAN from an earlier transaction response where the network token is used in the payment.
When a network token is used in, for example, the AUTHORIZE or PAY request, the RETRIEVE TRANSACTION response returns the following fields:
Field | Description |
---|---|
sourceOfFunds.provided.card.number | Masked FPAN, where returned by the acquirer. |
sourceOfFunds.provided.card.expiry | FPAN expiry |
sourceOfFunds.provided.card.deviceSpecificNumber | Network token from MDES (Token PAN) or VTS (Token) |
sourceOfFunds.provided.card.deviceSpecificExpiry | Network token expiry |
sourceOfFunds.type = SCHEME_TOKEN | If a network token is used in the transaction. |
sourceOfFunds.provided.card.paymentAccountReference | Unique identifier that links an FPAN for a card with all network tokens issued for the card. |
Network tokenization is not applicable for device payments using DPAN or FPAN.
For general details on testing your integration, see the testing instructions within each applicable integration method. To test network tokenization specifically, use your test merchant profile and a test network token.
Token Provider | Token | Token Expiry | Cryptogram | ECI Indicator |
---|---|---|---|---|
MDES | 5204 **** 5000 1497 | 11/22 | <any> | - |
VTS | 4111 **** 1111 **11 | 06/29 | <any> | 05 |
AETS | 3456 **** **** 564 | 05/21 | <any> | - |
interaction.operation=AUTHORIZE
is supported for this functionality. Additional support for interaction.operation=PURCHASE
is coming soon.Are network tokens supported in 3D Secure authentication requests?
The gateway can process network tokens in the INITIATE AUTHENTICATION request. For more information, see Initiate Authentication.
If you have authenticated the payer externally using a network token, you can pass information about the authentication in the authentication object of, for example, the PAY or AUTHORIZE operation. For more information, see How do I submit a pre-authenticated payment request?
Can I use network tokens in merchant-initiated transactions?
The gateway allows you to use network tokens stored on file to perform cardholder-initiated and merchant-initiated transactions.
Can I view network token details for a transaction in the Merchant Administration?
For an order or transaction where a network token is used, the External Token Provider field is displayed in the Order and Transaction details page in the Merchant Administration (MA) portal. This field displays either Mastercard (MDES) or Visa (VTS). The system does not support gateway tokenization of AETS tokens.