Tokenization

The Dock platform enables the tokenization service - technology designed to replace sensitive data for credit and debit cards without the need for disclosing original information for the card owner’s account.

Tokenization operates when the cardholder shares data by ensuring the card credentials securely travel. In case of a fraud attempt, the tokenized data are completely useless for the cybercriminal.


Benefits of tokenization

The benefits of using tokenization include security, transparency, interoperability, lifecycle management, early adaptation to potential lack of use of cash, all while ensuring compliance with the regulation rules foreseen in the General Personal Data Protection Law (LGPD).

As increasingly more consumers adopt subscription services, Digital Wallets and connected devices due to digitization, technologies benefit from tokenization. When the cardholder stores their card’s credentials in these apps and devices, they’re turned into tokens, thus adding a new security layer to transactions.

In order to increase service efficiency, card brands use tokens for updating credentials for cards replaced due to expiration, lost or stolen device or fraud attempt. The stored data is automatically renewed by the card brand, so the cardholder doesn’t need to contact each service use, thus avoiding their subscription being interrupted.


Digital wallets

Digital wallets work in the virtual world as well as traditional wallets do in the physical world. However, instead of keeping bills, coins and credit cards, the user identification and financial details are stored so that they can make a variety of operations in a secure, convenient and quick manner.

The goal of digital wallets is to improve the experience in transactions made in the virtual world as well the physical world by eliminating the need for physical cards and cash at hand. Therefore, you can make a payment on site by using the cardholder’s electronic device in contact with the merchant’s electronic equipment.

Both devices need to feature Near Field Communication (NFCNFC - It consists of wireless communication that works differently from Bluetooth and Wi-Fi, because it requires that both devices are brought together. Therefore, you can make payments and sell products or services by placing a smartphone featuring an NFC technology chip close to compatible equipment.), wireless communication requiring both devices to be close together, unlike Bluetooth or Wi-Fi. By bringing the devices close together, characteristics such as product name and purchase amount will be shown on the smartphone screen, and the user will have the option of confirming the purchase and have the amount debited by using the registered payment method.

In order to use a digital wallet, you need to create an account with a provider company, such as Google Pay, Samsung Pay or Apple Pay, as well as register the cardholder’s information, such as name, address and card details.


Tokenization for a card

In order to tokenize a card, the issuer needs to contract digital wallets and the card brand. In turn, the cardholder needs to have a device compatible with at least one digital wallet. After meeting these requirements, the steps are:

FIG: Steps and parties in the tokenization process for a card.FIG: Steps and parties in the tokenization process for a card.

FIG: Steps and parties in the tokenization process for a card.

1 - The cardholder digitizes a card into a digital wallet;
2 - The issuer authenticates the operation so that the cardholder is able to start using the wallet;
3 - The card brand creates a token, exclusively for a card and device;
4 - The card brand activates the token and informs the issuer of the token activated to make transactions.


How payment works by using a token

When a cardholder uses their mobile device in a transaction, the token is sent to the merchant and, during the authorization and approval, the card brand validates it by using cryptography, identifies the actual card number that is related to the token and sends it to the issuer, which in turn authorizes the transaction.


Maintaining tokens

There are several possible actions for an issuer to take with a token during its lifecycle. The tokenization service contains all the APIs that are enabled by card brands for the token lifecycle.

For instance:

  • When a cardholder calls their issuer due to failure in digitizing the card, the search API allows the issuer to identify the relevant token and check the status so that the cardholder is notified and corrective actions are taken;

  • When cardholder notifies their issuer that the phone using the tokenized account has been lost or stolen, the API for suspending tokens allows provisioned tokens to be suspended in this device, thus preventing transactions.

The API invoking flow is depicted below, where the tokenization service serves as an intermediate party between the issuer and the card brand.

FIG: API invoking flow for tokenizationFIG: API invoking flow for tokenization

FIG: API invoking flow for tokenization

1 - The issuer requests an action to be taken with the token;
2 - Through the tokenization service, Dock serves as an intermediate party between the issuer and the card brand;
3 - The card brand processes the request;
4 - The card brand informs Dock of the result;
5 - Dock informs the issuer of the result.

The available actions for the issuer to manage a token lifecycle and their corresponding endpoints are listed below:

• In order to enable a token that is waiting for activation, use the endpoint: Token Activate;
• In order to delete a token, use the endpoint: Token Delete;
• In order to retrieve token details for a particular token, use the endpoint: Token Details;
• In order to retrieve a list of all tokens for a PANPAN - Cards are identified by a number known as PAN (Primary Account Number), payment card number, or simply card number., use the endpoint: Listing tokens for a PAN;
• In order to retrieve a list of all tokens for a panReferenceID, use the endpoint: Token List;
• In order to suspend an active token, use the endpoint: Token Suspend;
• In order to unsuspend or resume a suspended token and return it to the active state, use the endpoint: Token Unsuspend;
• In order to find a list of PANPAN - Cards are identified by a number known as PAN (Primary Account Number), payment card number, or simply card number.s, use the endpoint: Get the list of PANs;
• In order to update a PANPAN - Cards are identified by a number known as PAN (Primary Account Number), payment card number, or simply card number. and its expiration date, use the endpoint: Update PAN;
• In order to find tokenization information for a card, use the endpoint: Get information for a card;
• In order to find tokenization informations for a PANPAN - Cards are identified by a number known as PAN (Primary Account Number), payment card number, or simply card number., use the endpoint: Get Information for a PAN.

Only for Visa:

• In order to generate push provisioning payload by cardID for HCEHCE - The Host Card Emulator (HCE) enables a device featuring NFC to be used as a credit card or a card designed for other purposes in a way that the reader device can’t distinguish one from the other. It features more advanced resources so that smartphones and other mobile devices are able to emulate several types of cards, such as the ones used in public transportation or (credit and debit) payment solutions. It is used in Android devices. wallets (android), use the endpoint: Generate Push Provisioning Payload by CardID for HCE Wallets;
• In order to generate push provisioning payload for HCEHCE - The Host Card Emulator (HCE) enables a device featuring NFC to be used as a credit card or a card designed for other purposes in a way that the reader device can’t distinguish one from the other. It features more advanced resources so that smartphones and other mobile devices are able to emulate several types of cards, such as the ones used in public transportation or (credit and debit) payment solutions. It is used in Android devices. wallets (android), use the endpoint:Generate Push Provisioning Payload for HCE Wallets;
• In order to generate activation data payload for SESE - Secure Element (SE) is a microprocessor chip that is able to store sensitive details and run secured applications, such as payment. It works as a vault, thus protecting the SE content (apps and data) from malware attacks that are common for the host (the device’s operating system). It is used in Apple devices. wallets (apple), use the endpoint: Generate Activation Data for SE Wallets;
• In order to generate provisioning authentication data by id payload for SESE - Secure Element (SE) is a microprocessor chip that is able to store sensitive details and run secured applications, such as payment. It works as a vault, thus protecting the SE content (apps and data) from malware attacks that are common for the host (the device’s operating system). It is used in Apple devices. wallets (Apple), use the endpoint: Generate Provisioning Authentication Data By Id for SE Wallets;
• In order to generate provisioning authentication data payload for SESE - Secure Element (SE) is a microprocessor chip that is able to store sensitive details and run secured applications, such as payment. It works as a vault, thus protecting the SE content (apps and data) from malware attacks that are common for the host (the device’s operating system). It is used in Apple devices. wallets (Apple), use the endpoint: Generate Provisioning Authentication Data for SE Wallets;

Only for Mastercard:

• In order to send a new Activation Code for a specific token, use the endpoint: Token Resend Activation Code;


Push provisioning

Push provisioning enables the user to start the tokenization flow for their card from their issuer’s app instead of getting started in the digital wallet as usual. In this case, the issuer must make an automatic integration between their app and a digital wallet, which in turn will start provisioning the card when receiving the provisioning request for a new token from the issuer’s app data. After completing the tokenization, the card will be available in the digital wallet for transactions.

In the push flow, it isn’t often necessary to confirm the user authentication in the digital wallet, given they have already been authenticated by the issuer’s app.

Currently, wallets on Google Pay and Apple Pay mandatorily require implementing push.


Setup for tokenization

If the issuer wants to enable tokenization for their customers, they must take a few steps with the card brand and digital wallets, as well as check the signature in contracts and financial investments.

Requisites for an issuer:

• Signing a contract with the Card Brand;
• Signing a contract with digital wallets (Samsung Pay, Google Pay, Apple Pay). The issuer needs to have at least one contract with a digital wallet;
• Enabling a development team that is expert in front-end and API in order to develop front-end that will consume Dock’s APIs, which are responsible for managing a token lifecycle;
• Enabling a development team that is expert in mobile apps in order to develop the functionality Push Provisioning in the bank’s app, which is integrated with Dock’s APIs (where applicable);

In order to set up the functionality, the issuer and their sales account manager should fill out a spreadsheet with the required information, which is listed below:

• Issuer’s information: Business name, the employee responsible for the project, email address, phone number;
• Digital wallets to be deployed;
• BINs, ranges and type of product (credit, debit or prepaid) that are eligible for tokenization;
• Activation methods: Activation methods to be enabled for final users (such as SMS, app-to-app or call center);
• Card brand’s keys (Visa or Mastercard) for push provisioning and/or managing token lifecycle.


Did this page help you?