eCOM Tokenizer Portal
eCOM Tokenizer offers secure and convenient means for merchants/PSPs to implement network tokenization.
Compared to proprietary tokenization solutions, network tokenization offers a completely secured end to end transaction protected with a cryptogram. It allows frictionless payment with an automatic renewal and real time card life cycle management. In addition, it enhances trust and brand recognition for the consumer by displaying the card artwork.
The developer portal includes Visa VTS, Mastercard Secure-Card-on-File (SCOF) and Elo Network Tokenization support for eCommerce tokenization.
Main benefits:
The G+D services provide eCommerce Tokenization via Network Token Service Providers aka the card schemes like Mastercard, Visa, Elo and others. The service supports Visa Token Service (VTS), Mastercard Secure Card on File (SCOF), Elo Network Tokenization (ELO) and will be extended to support other card schemes and their token services.
Interface | Explanation |
---|---|
1 |
eCOM Tokenizer Server Web Service JSON API Your Back-end Systems ↔ G+D eCOM Tokenizer servicesThe eCOM Tokenizer Customer Gateway microservice provides a set of JSON based Web Service APIs for your Back-end System to send service requests to the eCOM Tokenizer. These service requests include tokenization, life-cycle management services, cryptogram provisioning, merchant onboarding and other services. This interface is also used to receive notifications from the eCOM Tokenizer Server. Your Back-end System should implement a Web Service endpoint for notifications sent from the eCOM Tokenizer Server. |
2 |
Integration with Token Service Providers eCOM Tokenizer ↔ Token Service Provider The eCOM Tokenizer solution aggregates multiple Token Service Providers (TSPs). Each TSP (typically a payment network) defines and provides its own set APIs. eCOM Tokenizer implements these different TSP APIs. |
3 |
Issuer side integration to Network TSPs for token services Token Service Provider ↔ IssuerThis interface illustrates the interfaces between issuers and Payment Network Token Services, from which the issuers participate in token services, including approvals of tokenization requests, receipt of notifications from token services and for life-cycle management of deployed tokens and Funding Primary Account Numbers (“PANs”) of the original plastic payment cards that have been tokenized. Each Issuer will need to implement its own interface(s) to the payment network token service(s); this is not further addressed in this document. NOTE: Any Issuer currently participating in a 3rd Party Mobile Wallet (e.g. Apple Pay, Android Pay, Samsung Pay, etc.) is assumed to have this integration in place already with one or more TSPs. Additional agreements may be required between the Issuer and payment network for the eCommerce tokenization. |
4 |
Merchant integration Merchants must be onboarded individually.eCOM Tokenizer provides APIs for merchant onboarding. |
5 |
eCommerce payments You - Customer ↔ Acquirer / GatewayThese interfaces are a simplified illustration of the eCommerce transaction flow up to the acquirer / Gateway (and not intended to accurately reflect the payment flows and different options). |
6 |
Acquirers / PSPs connections to payment networks Acquirer / PSP ↔ Payment NetworkExisting interfaces from Acquirers / Payment Solution Providers to Payment Networks. |
7 |
Payment Network TSP connection to Payment Network Payment Network ↔ Token Service ProviderProvided by payment networks for processing of payment authorization requests of tokenized payment credentials. |
8 |
Issuer connections to Payment Networks Payment Network ↔ IssuerExisting interfaces from issuers to Payment Networks. |
G+D takes the lead in the project for setting up and onboarding you as a Token Requestor to VTS (Visa), MDES Secure Card on File (Mastercard) and Elo Network Tokenization (ELO) for your eCommerce Solution. G+D envisions that there will be single
systems integration between your Back-end Systems and the eCOM Tokenizer Service.
Subsequently, you may request eCOM Tokenizer service extensions to implement support for additional payment brands (and their respective TSP).
The eCOM Tokenizer API is split into 2 parts: the tokenizer API and a static resource download API.
The tokenizer API is an RPC-style HTTP API.
The gd-request-id
The static resource API
Backward compatibility
API | Production endpoint | Release date | Sandbox endpoint | Release date |
---|---|---|---|---|
eCom Tokenizer API 3.0 | https://ecom-tokenizer.epayments.digital/api/v3.0 | 2024-07-25 | https://ecom-tokenizer-pat.epayments.digital/api/v3.0 | 2024-02-28 |
eCom Static API 3.0 | https://ecom-tokenizer.epayments.digital/static/v3.0 | 2024-07-25 | https://ecom-tokenizer-pat.epayments.digital/static/v3.0 | 2024-02-28 |
eCom Tokenizer API 2.1 | https://ecom-tokenizer.epayments.digital/api/v2.1 | 2024-02-15 | https://ecom-tokenizer-pat.epayments.digital/api/v2.1 | 2024-02-14 |
eCom Static API 2.1 | https://ecom-tokenizer.epayments.digital/static/v2.1 | 2024-02-15 | https://ecom-tokenizer-pat.epayments.digital/static/v2.1 | 2024-02-14 |
The tokenizer API follows RPC style. It does not use extensively HTTP error codes to express error scenarios, especially not business logic errors.
Instead of using HTTP codes to express business and technical errors, the tokenizer API uses two fields in the response JSON message. The "statusCode" field is an enumerated value, that categorizes the error scenario. The "errorMessage" field provides some more background information about the failure. The same two fields are used in both HTTP 200 and 503 responses.
Note
The eCOM Tokenizer uses the following HTTP codes:
HTTP code | Use case | Recoverable |
---|---|---|
200 | HTTP call was successful and a positive response was sent | false |
200 | HTTP call resulted either in a business error, configuration error, input validation error, non-recoverable system error or non-recoverable TSP error. Instead of using a HTTP status code, the error scenario is expressed with a statusCode in the JSON response. Additionally, the errorMessage field provides further details. | false |
503 | HTTP call resulted in an internal or TSP-related error, that may be solved by retrying the request. The caller is invited for retrying the call. The error scenario is expressed with the statusCode and errorMessage fields. | true |
For static data, like metadata or images the codes are extended by:
HTTP code | Use case | Recoverable |
---|---|---|
200 | HTTP call was successful and a positive response was sent | false |
400 | HTTP request contained invalid data and failed at validation level. | false |
404 | HTTP request arrived at a wrong URI. This error typically happens when requesting non-existing static data. | false |
500 | HTTP call resulted either in a business error, configuration error, input validation error, non-recoverable system error or non-recoverable TSP error. | false |
503 | HTTP call resulted in an internal or TSP-related error, that may be solved by retrying the request. The caller is invited for retrying the call. | true |
Generic errors |
|||
statusCode | errorMessage | description | recoverable |
---|---|---|---|
BAD_REQUEST | (Output of the input message validator) | Used to express input validation problems | no |
SERVICE_ERROR | Failed to process request, please contact G+D | An internal error happened that most likely need manual intervention to fix | no |
TEMPORARY_SERVICE_ERROR | Failed to process request, try again later | An internal error happened, that may be solved by retrying the request | yes |
SERVICE_CONFIGURATION_ERROR | Configuration failure, please contact G+D | There is missing configuration for the current Token Requestor. Manual intervention is necessary to fix it. | no |
NOT_SUPPORTED | The service {} is not supported by card scheme {} | An API was called that is not supported by the TSP | no |
PAYMENT_APP_NOT_FOUND_ERROR | Payment app not found | The specified payment app is not existing. Manual intervention is necessary to fix it. | no |
TOKEN_NOT_FOUND | Token not found | An unknown token reference was in the API request | no |
CRYPTOGRAPHY_ERROR | (Error detail) | A cryptographic operation failed when processing the request. E.g. JWE decryption failed, unupported algorithm was used, ... | no |
MISSING_REQUEST_ID | <EMPTY> | No gd-request-id HTTP header was added to the request | no |
MULTIPLE_REQUEST_IDS | <EMPTY> | Multiple gd-request-id HTTP headers were added to the request | no |
INVALID_CUSTOMER_ID | Missing customer identifier header Multiple customer identifier headers The Common Name (CN) 'xxx' of the TLS client certificate is unknown |
The customer ID of the common name of the TLS certificate is invalid for the current api call. | no |
UNHANDLED | Failed to process request, please contact G+D | An unexpected error happened. Fixing needs manual intervention | no |
DEPRECATED: this error code will be removed in the next release (2023-06-22). |
|||
Generic TSP errors |
|||
statusCode | errorMessage | description | recoverable |
TSP_SERVICE_ERROR | Communication error with tsp | A problem occured during the call to TSP, that is assumed to be non-retriable | no |
TSP_TEMPORARY_SERVICE_ERROR | Communication error with tsp. Please retry the request. | A problem occured during the call to TSP, a retry may resolve it | yes |
TSP_UNKNOWN_ERROR | (Detailed error message) | Unexpected error happened during the TSP call | no |
VTS specific errors |
|||
Note As of version 2.0.0, the TSP specific error codes, including onboarding, have changed fundamentally to provide a better harmonization. Please move to section Error handling V2 for TSP specific errors if you are looking to upgrade to current version 2.1.x or higher or are just starting to integrate with G+D. | |||
The error messages contain the messages returned by VTS. Several of these error cases indicate errors to that the customer has no impact, and can only be resolved between G+D and Visa. We provide these error information for the sake of transparency. |
|||
statusCode | errorMessage | description | recoverable |
VTS_INVALID_PARAMETER | (VTS error message) | VTS considered some input parameter is invalid | no |
DEPRECATED: this internal error code will be replaced by SERVICE_ERROR at 2023-06-22. |
|||
VTS_CONFIGURATION_ERROR | (VTS error message) | VTS has incorrect configuration | no |
VTS_AUTHENTICATION_ERROR | (VTS error message) | VTS could not authenticate the request | no |
VTS_CARD_VERIFICATION_ERROR | (VTS error message) | The provided card verification code is incorrect | no |
VTS_CARD_NOT_ELIGIBLE | (VTS error message) | The provided card is not eligible | no |
DEPRECATED: this internal error code will be replaced by SERVICE_ERROR at 2023-06-22. |
|||
VTS_CARD_NOT_ALLOWED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
VTS_DECLINED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
VTS_NOT_ALLOWED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
Mastercard specific errors |
|||
The error messages contain the messages returned by MC. Several of these error cases indicate errors to that the customer has no impact, and can only be resolved between G+D and Mastercard. We provide these error information for the sake of transparency. |
|||
statusCode | errorMessage | description | recoverable |
MCSCOF_BAD_REQUEST_ERROR | (MC error message) | Mastercard detected an error in the incoming request | no |
MCSCOF_UNAUTHORIZED | (MC error message) | Mastercard was called without a proper access token | no |
MCSCOF_FORBIDDEN | (MC error message) | Mastercard was called without permissions | no |
MCSCOF_NOT_FOUND | (MC error message) | The requested URL does not exist | no |
MCSCOF_INTERNAL_SERVER_ERROR | (MC error message) | Mastercard internal server error | no |
MCSCOF_TEMPORARY_FORBIDDEN | (MC error message) | Call to Mastercard is temporary forbidden | yes |
MCSCOF_TEMPORARY_INTERNAL_SERVER_ERROR | (MC error message) | Mastercard is temporary not working | yes |
MCSCOF_TEMPORARY_RATE_LIMIT_EXCEEDED | (MC error message) | Rate limit is temporarioly exceeded | yes |
Onboarding errors |
|||
statusCode | errorMessage | description | recoverable |
VTS_ONBOARDING_VALIDATION_FAILED | VTS found some input field as invalid. Unfortunately very often the concrete error is not disclosed, and the case has to be clarified via emails. | no | |
VTS_ONBOARDING_TR_ALREADY_ONBOARDED | The given Token Requestor is already onboarded to VTS. This error is returned from the eCom Tokenizer. | no | |
MCSCOF_ONBOARD_TR_NOT_FOUND | The requested Token Requestor does not exist | no | |
MCSCOF_OFF_BOARD_TR_NOT_ONBOARDED | The given Token Requestor is not onboarded | no | |
Bulk Tokenize errors |
|||
Job level errors (Bulk tokenization) |
|||
statusCode | errorMessage | description | recoverable |
BAD_REQUEST | (Output of the input message validator) | Used to express input validation problems | no |
DUPLICATE_JOB_ID | TokenBulkJob with <jobId> is already submitted. | TokenizeBulk JobIDs must be unique | no |
JOB_NOT_FOUND_ERROR | TokenBulkJob <jobId> not found. | TokenizeBulk Job with given jobId was not found | no |
SERVICE_ERROR | Failed to process request, please contact G+D | An internal error happened when submitting the job or requesting the results. Most likely manual intervention is needed to fix the issue. | no |
SERVICE_CONFIGURATION_ERROR | Configuration failure, please contact G+D | There is missing configuration for the current Customer. Manual intervention is necessary to fix it. | no |
UNHANDLED | Failed to process request, please contact G+D | An unexpected error happened. Fixing needs manual intervention | no |
Generic Funding Account Row level errors (Bulk tokenization) |
|||
BAD_REQUEST | (Output of the input message validator) | Used to express input validation problems for the Funding Account Row | no |
CRYPTOGRAPHY_ERROR | (Output of the input message validator) | A cryptographic operation failed when processing the Funding Account Row. E.g. JWE decryption failed, unupported algorithm was used, ... | no |
SERVICE_ERROR | Failed to process request, please contact G+D | An internal error happened when processing the Funding Account Row. Most likely manual intervention is needed to fix the issue. | no |
SERVICE_CONFIGURATION_ERROR | Configuration failure, please contact G+D | There is missing configuration for the Token Requestor / Payment Application of Funding Account Row. Manual intervention is necessary to fix it. | no |
BULK_JOB_PROCESSING_ERROR | Internal TokenBulkJob processing error, please contact G+D / More detailed error message if available | An internal error specific to Bulk Tokenization happened when processing the Funding Account Row. Manual intervention is necessary to fix it. | no |
PAYMENT_APP_NOT_FOUND_ERROR | Payment app not found | The specified payment app is not existing. Manual intervention is necessary to fix it. | no |
TSP_SERVICE_ERROR | A problem occurred during the call to TSP when processing the Funding Account Row, that is assumed to be non-retriable | no | |
TSP_TEMPORARY_SERVICE_ERROR | A problem occurred during the call to TSP when processing the Funding Account Row, a retry may resolve it | yes | |
TSP_UNKNOWN_ERROR | Unexpected error happened during the TSP call when processing the Funding Account Row | no | |
VISA specific Funding Account Row level errors (Bulk tokenization) |
|||
VTS_INVALID_PARAMETER | (VTS error message) | VTS considered some input parameter is invalid | no |
DEPRECATED: this internal error code will be replaced by SERVICE_ERROR at 2023-06-22. |
|||
VTS_CONFIGURATION_ERROR | (VTS error message) | VTS has incorrect configuration | no |
VTS_AUTHENTICATION_ERROR | (VTS error message) | VTS could not authenticate the request | no |
VTS_CARD_VERIFICATION_ERROR | (VTS error message) | The provided card verification code is incorrect | no |
VTS_CARD_NOT_ELIGIBLE | (VTS error message) | The provided card is not eligible | no |
DEPRECATED: this internal error code will be replaced by SERVICE_ERROR at 2023-06-22. |
|||
VTS_CARD_NOT_ALLOWED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
VTS_DECLINED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
VTS_NOT_ALLOWED | (VTS error message) | The requested operation was rejected, the error message may provide the reason. | no |
MASTERCARD specific Funding Account Row level errors (Bulk tokenization) |
|||
MCSCOF_BAD_REQUEST_ERROR | (MC error message) | Mastercard detected an error in the incoming request | no |
MCSCOF_UNAUTHORIZED | (MC error message) | Mastercard was called without a proper access token | no |
MCSCOF_FORBIDDEN | (MC error message) | Mastercard was called without permissions | no |
MCSCOF_NOT_FOUND | (MC error message) | The requested URL does not exist | no |
MCSCOF_INTERNAL_SERVER_ERROR | (MC error message) | Mastercard internal server error | no |
MCSCOF_TEMPORARY_INTERNAL_SERVER_ERROR | (MC error message) | Mastercard is temporary not working | yes |
MCSCOF_TEMPORARY_FORBIDDEN | (MC error message) | Call to Mastercard is temporary forbidden | yes |
MCSCOF_TEMPORARY_RATE_LIMIT_EXCEEDED | (MC error message) | Rate limit is temporarioly exceeded | yes |
The eCOM Tokenizer API version 2.0.0 will introduce an improved error handling. The goals of the improvement are the following
The Generic Errors remain the same as before. In contrast, the Generic TSP errors, VTS specific errors and Mastercard specific errors will be merged into the following generic statusCodes:
new statusCode | old statusCode | API | description | recoverable |
---|---|---|---|---|
TSP_INVALID_CARD_DATA | VTS_INVALID_PARAMETER VTS_CARD_VERIFICATION_ERROR MCSCOF_BAD_REQUEST_ERROR |
/tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | One or more elements of the funding account card data (FPAN, expiration date, CVV) provided is considered to be invalid by either the network TSP or the issuer. E.g. expired card, too short FPAN, wrong CVV code. | no |
TSP_CARD_NOT_ELIGIBLE | VTS_CARD_NOT_ELIGIBLE MCSCOF_BAD_REQUEST_ERROR |
/tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | The funding account card data (FPAN, expiration date, CVV) provided is correct, but the funding account card as such (BIN range) is not eligible for tokenization. | no |
TSP_ISSUER_DECLINED | VTS_DECLINED MCSCOF_BAD_REQUEST_ERROR |
/tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | The funding account card data (FPAN, expiration date, CVV) provided by the cardholder is correct, but the issuing bank rejected the tokenization request. The reason may be e.g. the outcome of risk evaluation. | no |
TSP_OPERATION_NOT_ALLOWED | VTS_NOT_ALLOWED MCSCOF_BAD_REQUEST_ERROR |
All | The requested operation was rejected by the network scheme. The reason may be that the status of the token is not active or no further actions with the card are allowed. | no |
TSP_BAD_REQUEST | MCSCOF_BAD_REQUEST_ERROR |
All |
The request contains invalid input parameters other than the funding account card data. Additional error message explanations:
|
no |
TSP_SERVICE_ERROR | TSP_SERVICE_ERROR VTS_CONFIGURATION_ERROR VTS_AUTHENTICATION_ERROR MCSCOF_UNAUTHORIZED MCSCOF_FORBIDDEN MCSCOF_NOT_FOUND |
All |
The request sent by eCOM Tokenizer to the network TSP failed because of a technical reason. The problem typically happens when the network TSP itself reports and unknown internal failure. It is not expected that an automatic retry will solve the problem in short time. However, a retry scheduled at a later point in time may succeed. Additional error message explanations:
|
no |
TSP_TEMPORARY_SERVICE_ERROR | TSP_TEMPORARY_SERVICE_ERROR MCSCOF_INTERNAL_SERVER_ERROR MCSCOF_TEMPORARY_FORBIDDEN MCSCOF_TEMPORARY_INTERNAL_SERVER_ERROR MCSCOF_TEMPORARY_RATE_LIMIT_EXCEEDED |
All | The request sent by eCOM Tokenizer to the network TSP failed because of a technical reason. Such a reason can be an instantaneous network connectivity problem. A retry within short time may solve the problem. | yes |
TSP_UNKNOWN_ERROR | TSP_UNKNOWN_ERROR VTS_INVALID_PARAMETER MCSCOF_BAD_REQUEST_ERROR |
All | eCOM Tokenizer's requests to network TSP systems can rarely be rejected for unexpected/undocumented reasons. | no |
Notes
TSP onboarding errors
The above changes apply to the APIs except Onboarding. The Onboarding API has the following additional statusCodes. The semantic of these error codes doesn't change, only the names are made generic and applicable for multiple network TSPs.
statusCode API 2.x and following | statusCode API 1.x | API | description | recoverable |
---|---|---|---|---|
TR_VALIDATION_FAILED | VTS_ONBOARDING_VALIDATION_FAILED | /onboard-to-vts | VTS found some input field as invalid. Unfortunately very often the concrete error is not disclosed and the case has to be clarified via Service Support | no |
TR_ALREADY_ONBOARDED | VTS_ONBOARDING_TR_ALREADY_ONBOARDED | /onboard-to-vts | The given Token Requestor is already onboarded to VTS. This error is returned from the eCom Tokenizer. Important note
|
no |
TR_ALREADY_ONBOARDED | n/a | /onboard-to-elo | The given Token Requestor is already onboarded to ELO. This error is returned from the eCom Tokenizer. | no |
TR_NOT_FOUND | MCSCOF_ONBOARD_TR_NOT_FOUND | /onboard-to-mc-status | The requested Token Requestor does not exist | no |
TR_NOT_ONBOARDED | MCSCOF_OFF_BOARD_TR_NOT_ONBOARDED | /offboard-from-mc | The given Token Requestor is not onboarded | no |
Renamed statusCodes
There are a few statusCodes that keep their original meaning, but have got more suitable names:
new statusCode | old statusCode |
---|---|
PAYMENT_APP_NOT_FOUND | PAYMENT_APP_NOT_FOUND_ERROR |
UNKNOWN_ERROR | UNHANDLED |
JOB_DUPLICATE_ID | DUPLICATE_JOB_ID |
JOB_NOT_FOUND | JOB_NOT_FOUND_ERROR |
JOB_PROCESSING_ERROR | BULK_JOB_PROCESSING_ERROR |
All V2 statusCodes
The following table summarizes the statusCodes that will be supported after the improvement:
statusCode | API | errorMessage* | description | recoverable |
---|---|---|---|---|
BAD_REQUEST | All | <Output of the input message validator> | Used to express input validation problems | no |
SERVICE_ERROR | All | Failed to process request, please contact G+D | An internal error happened that most likely need manual intervention to fix | no |
TEMPORARY_SERVICE_ERROR | All | Failed to process request, try again later | An internal error happened, that may be solved by retrying the request | yes |
SERVICE_CONFIGURATION_ERROR | All | Configuration failure, please contact G+D | There is missing configuration for the current Token Requestor. Manual intervention is necessary to fix it. | no |
NOT_SUPPORTED | All | The service {} is not supported by card scheme {} | An API was called that is not supported by the TSP | no |
PAYMENT_APP_NOT_FOUND | All | Payment app not found | The specified payment app is not existing. Manual intervention is necessary to fix it. | no |
TOKEN_NOT_FOUND | /suspend, /resume, /delete, /token-info, /transact | Token not found | An unknown token reference was in the API request | no |
CRYPTOGRAPHY_ERROR | /tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | <Error detail> | A cryptographic operation failed when processing the request. E.g. JWE decryption failed, unupported algorithm was used, ... | no |
MISSING_REQUEST_ID | All | <empty> | No gd-request-id HTTP header was added to the request | no |
MULTIPLE_REQUEST_IDS | All | <empty> | Multiple gd-request-id HTTP headers were added to the request | no |
INVALID_CUSTOMER_ID | All | The Common Name (CN) 'xxx' of the TLS client certificate is unknown | The customer ID of the common name of the TLS certificate is invalid for the current api call. | no |
UNKNOWN_ERROR | All | Failed to process request, please contact G+D | An unexpected error happened. Fixing needs manual intervention | no |
TSP_INVALID_CARD_DATA | /tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | tspMessage: <comma-separated freetext error message from TSP> | One or more elements of the funding account card data (FPAN, expiration date, CVV) provided is considered to be invalid by either the network TSP or the issuer. E.g. expired card, too short FPAN, wrong CVV code. | no |
TSP_CARD_NOT_ELIGIBLE | /tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | tspMessage: <comma-separated freetext error message from TSP> | The funding account card data (FPAN, expiration date, CVV) provided is correct, but the funding account card as such (BIN range) is not eligible for tokenization. | no |
TSP_ISSUER_DECLINED | /tokenize, /tokenize-bulk, /tokenize-bulk-multi-scheme | tspMessage: <comma-separated freetext error message from TSP> | The funding account card data (FPAN, expiration date, CVV) provided by the cardholder is correct, but the issuing bank rejected the tokenization request. The reason may be e.g. the outcome of risk evaluation. | no |
TSP_OPERATION_NOT_ALLOWED | /delete, /suspend, /resume, /transact, /token-info | tspMessage: <comma-separated freetext error message from TSP> | The requested operation was rejected by the network scheme. The reason may be that the status of the token is not active. | no |
TSP_BAD_REQUEST | All | tspMessage: <comma-separated freetext error message from TSP> |
The request contains invalid input parameters other than the funding account card data.
Additional error message explanations:
|
no |
TSP_SERVICE_ERROR | All | tspMessage: <comma-separated freetext error message from TSP> |
The request sent by eCOM Tokenizer to the network TSP failed because of a technical reason. The problem typically happens when the network TSP itself reports and unknown internal failure. It is not expected that an automatic retry will solve the problem in short time. However, a retry scheduled at a later point in time may succeed.
Additional error message explanations:
|
no |
TSP_TEMPORARY_SERVICE_ERROR | All | tspMessage: <comma-separated freetext error message from TSP> | The request sent by eCOM Tokenizer to the network TSP failed because of a technical reason. Such a reason can be an instantaneous network connectivity problem. A retry within short time may solve the problem. | yes |
TSP_UNKNOWN_ERROR | All | tspMessage: <comma-separated freetext error message from TSP> | eCOM Tokenizer's requests to network TSP systems can rarely be rejected for unexpected/undocumented reasons. | no |
TR_VALIDATION_FAILED | /onboard-to-vts | tspMessage: <comma-separated freetext error message from TSP> | VTS found some input field as invalid. Unfortunately very often the concrete error is not disclosed and the case has to be clarified via Service Support | no |
TR_ALREADY_ONBOARDED | /onboard-to-vts, /onboard-to-elo | <empty> | This is not an error scenario. Instead. it can be interpreted as a positive response. It means that the merchant had already been onboarded to VTS or ELO earlier, and the current API call did not have any further contribution. | no |
TR_NOT_FOUND | /onboard-to-mc-status | Token requestor not found | The requested Token Requestor does not exist | no |
TR_NOT_ONBOARDED | /offboard-from-mc | Token requestor not onboarded | The given Token Requestor is not onboarded | no |
JOB_DUPLICATE_ID | /tokenize-bulk, /tokenize-bulk-multi-scheme | TokenBulkJob with <jobId> is already submitted. | TokenizeBulk JobIDs must be unique | no |
JOB_NOT_FOUND | /tokenize-bulk-results | TokenBulkJob <jobId> not found. | TokenizeBulk Job with given jobId was not found | no |
JOB_PROCESSING_ERROR | /tokenize-bulk, /tokenize-bulk-multi-scheme, /tokenize-bulk-results | Internal TokenBulkJob processing error, please contact G+D / More detailed error message if available | An internal error specific to Bulk Tokenization happened when processing the Funding Account Row. Manual intervention is necessary to fix it. | no |
The eCom Tokenizer forwards the TSP notifications to the customers. The notifications may fail because of different reasons.
In case the failure is retriable, the eCom Tokenizer schedules automatic retries. Network level errors and HTTP 5xx are considered to be retriable.
The eCOM Tokenizer API version 2.1.0 provides additional information in the Token-Updated notification. These reason codes allow you to identify additional actions that should be performed when this information is received.
Token Lifecycle management notifications are triggered when for example an issuer suspends or unsuspends the card, or issues a new card before expiration, or a cardholder updates the card details.
For such cases you should update the data of your stored objects for the related token with the new status and other parameters that may have changed.
I.e. update the data received in tokenInfo and metadata (identified by a changed metadataId -> you should trigger a get metadata request)
Additionally, an issuer may trigger an account update within the account range or across another account range based on the following events:
The TOKEN_REFRESH reason code is provided for such scenarios. It can currently only be expected for Mastercard tokens in one of the above-mentioned events.
TOKEN_REFRESH reason code means, that the token and/or token expiry may have changed. The following actions are required:
In the case of a Mastercard token and Merchant Initiated Transaction (MIT), when TOKEN_REFRESH is received the subsequent MIT after token_refresh scenario must carry the fresh cryptogram and in addition you should send Security Level Indicator (SLI) value 246.
Subsequent transactions can revert to SLI value 247 and a cryptogram is no longer required.
Below is the list of reason codes and additional information.
Reason Code | Notification Detail Message* | Description | Minimum actions to take |
---|---|---|---|
CARD_UPDATED | ACCOUNT_CLOSED, ACCOUNT_UPDATED, Card data updated |
This notification reason is received when FPAN related data has changed, or the account was closed. | Update all data received |
METADATA_UPDATE | CARD_ART_UPDATE, Metadata updated |
This notification reason is received when FPAN metadata has changed. | Update all data received |
TOKEN_STATUS_CHANGED | DEVICE_LOST, DEVICE_FOUND, DEVICE_STOLEN, FRAUD_SUSPECTED, FRAUD_MITIGATED, OTHER, Token status updated |
This notification reason is received when the token status has changed due to some life-cycle scenarios. | Update all data received |
TOKEN_REFRESH | TOKEN_REFRESH | This notification reason is received when the whole token and/or token expiry has changed. | Update all data received, Request a new cryptogram to receive the new token from the TSPs |
Use case is supported by the API: /tokenize
The workflow above contains the alternatives:
Use case is supported by the API: /tokenize-bulk
Please note that ELO Bulk tokenization is not yet supported.
Use case is supported by the API: /transact
Token life cycle management scenarios are:
Use case supported by the API: /delete
Cardholders can interact multiple ways with their card issuers that result in life cycle events to the ecosystem. The sequence diagram below covers a few typical cases:
Use cases are supported by the API:
The Onboarding APIs published by the Network TSPs vary widely. I.e. the data elements required, the supported functions and the technical implementation differ significantly. For this reason the eCOM Tokenizer publishes separate endpoints per card scheme. It has to be noted, that the Onboarding APIs main purpose is to enable PSPs to onboard direct merchants. Ideally all direct merchants should get their own Token Requestor ID (TRID) assigned. For onboarding other merchant entities such as marketplaces, franchise business or small sellers with a small yearly payment volume please reach out to your G+D contact. More details you find also in the FAQs.
VTS implements a synchronous Onboarding API. In each OnboardToVtsRequest call a single merchant is onboarded. The merchant data has to include at least the mandatory parameters of the OpenAPI spec. The tspId has to be "VTS_SANDBOX" in the test environment, and "VTS" in production.
Note VTS onboard API is immutable. After a merchant has been once onboarded to VTS, onboard data cannot be changed and new payment applications cannot be added. Therefore, when calling the /onboard-to-vts API, it is possible that the number of requested payment applications and the defined vtsClientAppId and vtsProfileName values do not match with the response. What can be guaranteed, is that the response will always contain at least one VtsPaymentApplication which can be used in TokenizeRequests and other API calls.
The merchant is identified either by
Business Identification Type | Business Identification Value Description |
---|---|
ABN | Australian business number Format: 11 numeric digits |
ACN | Australian company number Format: 9 numeric digits |
BID | Business identification number; all countries. Format: 8 numeric digits Note: You must contact your Visa representative before using BID for businessIdentificationType |
BIN | Kazakhstan business identification number Format: 12 numeric digits |
BIR | Philippines certificate of registration Format: 12 numeric digits; hyphen-separated Example: 123-456-789-012 |
BN | Canadian business number Format: 9 numeric digits |
BRN | South Korea business registration number Format: 10 numeric digits; hyphen-separated Example: 123-45-67890 |
BRNO | Malaysia only Format: Up to 10 numeric digits followed by a hyphen and a single character or 12 numeric digits. Example: 123456789012 |
CL | Commercial License Number, Qatar Format: 4–6 numeric digits |
CLN | Company License Number, Kuwait Format: 5–7 numeric digits |
CORPORATE_NUMBER | Corporate Number, Japan Format: 13 numeric digits; leading digit is a non-zero check digit for the following 12 digits |
CNPJ | Brazil only Format: 14 alphanumeric characters, identified by n in the example, and punctuation characters (period, slash, and hyphen). Example: nn.nnn.nnn/nnnn-nn |
CR | Company Registration Number, Saudi Arabia Format: 10–12 numeric digits |
CUIT | Argentina only Format: 11 numeric digits |
EDRPOU | Ukraine Ukrainian corporations: 8 numeric digits Ukrainian individual entrepeneurs: 10 numeric digits |
EIN | US Federal tax ID (US only) Format: 9 numeric digits |
HKBR | Hong Kong only Format: 11 numeric digits and a hyphen Note: Use 000 if the digits after the hyphen are not specified. Example: 12345678-123 |
INI | Andorran General Indirect Tax Format: 8 alphanumeric characters; the first and last characters must be alphabetic. |
NATIONAL_ID | Dominican Republic (DO) Cedula de Identidad (Merchant Owner ID) Format: DO + 11 digits Example: DO01234567890 |
NIB | Indonesia business identification number Format: 13 numeric digits |
NID | South Africa national identification number Format: 13 numeric digits |
NZBN | New Zealand business number Format: 13 numeric digits |
PAN | Indian business identification number Format: 10 alphanumeric characters |
PAN | Belarus payer account number Format: 9 numeric digits |
RFC | Mexico only Format: 12 alphanumeric characters for corporations; 13 alphanumeric characters for individuals. |
RNC | Dominican Republic (DO) Registro Nacional de Contribuyentes (National Contributors Number) Format: DO + 9 digits Example: DO123456789 |
RUC | Peru only Format: 11 numeric digits |
RUT | Chile and Columbia only Format: 9 numeric digits; for Chile; 10 numeric digits for Columbia |
SIN | Canadian social insurance number Format: 9 numeric digits |
SSN | US social security number (US only) Format: 9 numeric digits |
TC | Vietnam tax code Format: 10 or 13 numeric digits |
UEN | Singapore only Format: 9 or 10 alphanumeric characters |
USCI | China united social credit code Format: 18 alphanumeric characters |
VAT | Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, Faroe Islands, France, Germany, Greece, Hungary, Iceland, Ireland, Isle of Man, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of Cyprus,
Romania, Saudi Arabia, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Thailand, Turkey, Ukraine, United Arab Emirates, United Kingdom See the formats below. |
VAT countries and formats:
Country / Code | VAT Value Format | Example |
---|---|---|
Austria / AT | AT + 9 characters in which the first character is always a 'U' | ATU12345678 |
Belgium / BE | BE + 10 characters. Prefix with zero ‘0’ if the customer provides a 9 digit VAT number. | BE1234567890 |
Bulgaria / BG | BG + 9 or 10 characters | BG123456789 or BG0123456789 |
Croatia / HR | HR + 11 characters. | HR01234567891 |
Cyprus / CY | CY + 9 characters; the last character must always be a letter. | CY12345678X |
Czech Republic / CZ | CZ + 8, 9 or 10 characters. | CZ12345678, CZ123456789, or CZ0123456789 |
Denmark / DK | DK + 8 characters | DK12345678 |
Estonia / EE | EE + 9 characters | EE123456789 |
Finland / FI | FI + 8 characters | FI12345678 |
France / FR | FR + 11 characters | FR12345678901 |
Germany / DE | DE + 9 characters | DE123456789 |
Greece / EL | EL + 9 characters | EL123456789 |
Hungary / HU | HU + 8 characters | HU12345678 |
Iceland / IS | 5 or 6 characters | 12345 |
Ireland / IE | IE + 8 numeric or alphabetic characters | IE1234567X |
Israel / IL | 9 numeric digits | 123456789 |
Isle of Man / GB | GB + 9 or 12 digits; first 2 digits must be 00 | GB003456789 |
Italy / IT | IT + 11 characters | IT12345678901 |
Latvia / LV | LV + 11 characters | LV12345678901 |
Lithuania / LT | LT + 9 or 12 characters | LT123456789 or LT123456789012 |
Luxembourg / LU | LU + 8 characters | LU12345678 |
Malta / MT | MT + 8 characters | MT12345678 |
Netherlands / NL | NL + 12 characters of which the tenth character is always B. | NL123456789B01 |
Norway / NO | NO + 9 digits and the letters + MVA | NO123456789MVA |
Poland / PL | PL + 10 alphanumeric characters | PL1234567890 |
Portugal / PT | PT + 9 characters | PT123456789 |
Republic of Cyprus / CY | CY + 9 characters. The last character must always be a letter. | CY12345678X |
Romania / RO | RO + 2 to 10 characters. | RO12, RO123, RO1234, RO12345, RO123456, RO1234567, RO12345678, RO123456789, or RO1234567890 |
Saudi Arabia / SA | 15 numeric digits | 123456789012345 |
Slovak Republic / SK | SK + 10 characters | SK1234567890 |
Slovenia / SI | SI + 8 characters | SI12345678 |
South Africa / ZA | 10 or 11 digits | 1234567890 or 12345678901 |
Spain / ES | ES + 9 numeric digits | ES123456789 |
Sweden / SE | SE + 12 digits | SE123456789012 |
Switzerland / CH | CH + 9 digits + MWST (german part), TVA (french part), or IVA (italian part) | CH123456789MWST, CH123456789TVA, or CH123456789IVA |
Thailand | 13 numeric digits | 1234567890123 |
Turkey / TR | TR + 10 characters | TR1234567890 |
Ukraine / UA | 9 or 12 digits | 123456789 or 123456789012 |
United Arab Emirates / AE | 15 digits | 123456789012345 |
United Kingdom / GB | GB + 9 digits | GB123456789 |
The merchant may have multiple payment applications, like a Web App and an Android App. VTS mandates registering at least one payment app. The merchant may decide to register more, but that is optional. VTS expects the following payment app data:
Once the merchant and the payment app(s) are onboarded, the VTS API does not give any possibility to update, delete the data. The onboarded merchant cannot be used immediately. The Token Requestor ID assigned to the merchant needs to propagate to all VTS systems and it takes time. Visa suggests waiting 72 hours before allowing tokenizations in the productive environment. In the test environment, the merchant can be used right after onboarding.
The OnboardToVtsResponse response message contains the G+D generated identifiers gdTokenRequestorId and gdPaymentAppIds, that have to be kept persisted, as they are needed for further use cases.
Mastercard implements an asynchronous Onboarding API. The OnboardToMcRequest contains the data of a single merchant, and one or more payment applications. Similarly to VTS, the merchant has to include at least one payment app in the request. But it also can include multiple or all of them. The tspId has to be "MCSCOF_SANDBOX" in the test environment, and "MC" in production.
In the OnboardToMcRequest the programName identifies the merchant, and the dpaName identifies a single payment app. DPA stands for Digital Payment Application, and it is a term the Mastercard API uses.
The synchronous OnboardToMcResponse contains the G+D generated gdTokenRequestorId and gdPaymentAppIds. The merchant and the payment apps are not yet onboarded at this moment to Mastercard. Mastercard has an asynchronous API, for this reason the onboardStatus will likely be IN_PROGRESS in the synchronous response. The merchant/PSP has to poll for the final response by periodically calling the OnboardToMcStatus API. This call returns the same OnboardToMcResponse response, but ultimately it will show onboardStatus COMPLETED or FAILED. When providing multiple payment apps, a partial success is possible: some apps may get onboarded, others may fail. The Mastercard Onboarding API works more on the payment app basis than merchants basis. What we onboard are in fact the payment apps.
Mastercard supports the update of payment applications. The update feature mainly means adding new payment applications. There are only very few data fields that are updatable for an existing, already onboarded payment application. An update can be triggered by sending the same OnboardToMcRequest request. In case this request contains an already known programName, it is automatically an update request. If there is an already existing dpaName under the known programName, then the matching payment app will get updated. As earlier mentioned, only a few payment app fields are updatable. If there is a new dpaName under an existing programName, then the new payment app will be onboarded to Mastercard.
Note For equality comparison, ProgramName and DpaName considered case-insensitive.
It is possible to off-board payment applications, by sending an OffboardFromMcRequest. As a result, the payment apps with the given dpaNames will be removed from the merchant with the given programName. This call is the same way asynchronous like the OnboardToMcRequest. The result can be periodically polled by using OnboardToMcRequest.
Elo implements a synchronous API, similar to VTS. The OnboardToEloRequest contains the data of a single merchant. Contrary to Mastercard and Visa, no separate payment application details need to be provided for Elo. However, a gdPaymentAppId can be provided or will be generated by eCOM accordingly. The tspId has to be "ELO_SANDBOX" in the test environment. Production tspId will be provided once released.
Note Elo onboard API is currently immutable. After a merchant has been once onboarded to Elo, onboard data cannot be changed via the API. If merchant data needs to change, please contact G+D.
In the OnboardToEloRequest the legalId and legalName identify the merchant explicitly and uniquely. The legalId, in this case CNPJ, should be provided without any punctuation. Instead of '52.796.626/0001-50', the submitted legalId should look like this: '52796626000150'
The OnboardToEloResponse contains the G+D generated gdTokenRequestorId and gdPaymentAppId. The merchant is onboarded at this point in time, depending on Elo's processing however, might not be immediately available after the onboarding.
Use case is supported by the API: /tokenInfo
For additional information see section API Versioning.
See the following section to get familiar with the API endpoints:
From June 2024 the eCOM Tokenizer APIs are exposed also from a new domain ecom-tokenizer.epayments.digital, the previous endpoints are therefore deprecated.
In consultation with the eCOM Tokenizer customers the endpoints on the previous domain will be shutdown after successful switch.
The eCOM Tokenizer API is exposed using the following URLS:
API | Description | Note | epayments PROD | Release date | epayments PAT | Release date | ||||
---|---|---|---|---|---|---|---|---|---|---|
eCOM Tokenizer API v3.0 | Support for version 3.0 | https://ecom-tokenizer.epayments.digital/api/v3.0 | 2024-07-25 | https://ecom-tokenizer-pat.epayments.digital/api/v3.0 | 2024-02-28 | |||||
eCOM Tokenizer API v2.1 | Support for version 2.1 | https://ecom-tokenizer.epayments.digital/api/v2.1 | 2024-02-15 | https://ecom-tokenizer-pat.epayments.digital/api/v2.1 | 2024-02-14 | |||||
The eCOM Static API is exposed using the following URLS:
API | Description | Note | epayments PROD | Release date | epayments PAT | Release date | ||||
---|---|---|---|---|---|---|---|---|---|---|
eCOM Static API v3.0 | Support for version 3.0 | https://ecom-tokenizer.epayments.digital/static/v3.0 | 2024-07-25 | https://ecom-tokenizer-pat.epayments.digital/static/v3.0 | 2024-02-28 | |||||
eCOM Static API v2.1 | Support for version 2.1 | https://ecom-tokenizer.epayments.digital/static/v2.1 | 2024-02-15 | https://ecom-tokenizer-pat.epayments.digital/static/v2.1 | 2024-02-14 | |||||
Release 3.0.x is introducing support for payment scheme ELO.
Compatibility note: This API version is NOT fully backwards compatible to previous version. See Compatibility to 2.1.x for details.
The API release is installed on:
G+D Azure Sandbox test environment | February 28th, 2024 |
G+D Azure Production environment | July 25th, 2024 |
Release 2.1.x includes Token Updated Notification - reason handling
Compatibility note: This API version is NOT fully backwards compatible to previous version. See Compatibility to 2.0.x for details.
The API release is installed on:
G+D Azure Sandbox test environment | February 14th, 2024 |
G+D Azure Production environment | February 15th, 2024 |
Compatibility: This API version is NOT backwards compatible with previous versions!
Release 2.0.x includes statusCode improvements, for more information see Error handling V2
Compatibility note: This API version is NOT fully backwards compatible to previous version. See Compatibility to 1.7.x for details.
The API release is installed on:
G+D Azure Sandbox test environment | November 14th, 2023 |
G+D Azure Production environment | December 7th, 2023 |
Compatibility: This API version is NOT backwards compatible with previous versions!
Note: Version 2.0.x is reaching END OF LIFE by July 31st, 2024
Note: Version 1.7.x is reaching END OF LIFE by July 31st, 2024
The eCOM Tokenizer uses multiple security layers:
Similarly, the Notification API, that is published by the Customer must also be protected by TLS.
In case Customer calls the API without a TLS client certificate, or with a wrong TLS client certificate, then the request is responded with HTTP 403.
G+D also uses TLS client certificates when it sends notifications to the Notification API published by the Customer. Customer may decide to implement client certificate check in the Notification API.
The sensitive data is formatted as a small JSON message. In the OpenAPI specification the objects FundingAccountDataPlain and TransactionPayloadPlain describe these sensitive JSON types.
Once the sensitive JSON messages are assembled, they have to get JSON Web Encrypted (JWE), before they are inserted into the top level JSON messages.
From the list of possible key wrapping ciphers standardized by JSON Web Algorithms (https://datatracker.ietf.org/doc/html/rfc7518) chapter 4.1 we support RSA and EC cipher:
For RSA keys we allow any keys size above or equal to 2048 bits. For EC keys we support all the curves that are mentioned in the RFC, that are currently P-256, P-384, P-521.
From the JWA content encryption algorithms listed in chapter 5.1 of the RFC we support all:
During customer onboarding the customer has to choose a pair of JWE key wrapping and content encryption algorithms.
Separate keys are used for encryption in JSON request and JSON responses. In case of requests, G+D possesses the private key and Customer is provided with the public key. In case of responses, it is the opposite way.
The JWE encrypted data has to be compact encoded (dot separated) and added to the top level messages as strings, please see the OpenAPI specification.
The JWE header has to contain the following elements, apart from the mandatory elements as specified by the RFC:
Acquiring a client certificate can be done in the following way:
G+D will provide its TLS client certificate chain, that is used for notification sending.
Customer chooses between RSA and EC key types. In both cases G+D generates the key pair and shares the public part with Customer. The Key ID is also shared that will be used as "kid" in the JWE header.
Customer chooses between RSA and EC key types. In both cases Customer generates the key pair and shares the public part with G+D. The Key ID will be generated and shared by G+D. It will be used as "kid" in the JWE header.
PSD2 has impact on the Transact API. The Token Requestor should be able to identify if a certain Payment Transaction falls under PSD2 SCA requirement.
Note In case PSD2 SCA is required, the payment cryptogram has to get "dynamically linked" to the transaction details. In this case the sending of "amount" and "currencyCode" fields in the Transact request is mandatory.
Note
You can use any of the following test cards to simulate a successful card enrollment/tokenization scenario.
Card Number | Expiry Date | CVV |
---|---|---|
2222690420064590 | Any Future Date | Any |
2222690420064574 | Any Future Date | Any |
2222690420064582 | Any Future Date | Any |
5120350100064594 | Any Future Date | Any |
Tokenization Eligible Test Cards on Mastercard's site
You can use the following test cards to simulate the TOKENIZATION_INELIGIBLE scenario:
Card Number | Expiry Date | CVV |
---|---|---|
Currently, mastercard does not provide any cards to test TOKENIZATION_INELIGIBLE scenario |
You can use the following test cards to simulate the PAN_INELIGIBlE scenario:
Card Number | Expiry Date | CVV |
---|---|---|
5460126128200800 | Any Future Date | Any |
5207980000000102 | Any Future Date | Any |
You can use the following test cards to simulate the INVALID_PAN scenario:
Card Number | Expiry Date | CVV |
---|---|---|
5204731601950473 | Any Future Date | Any |
You can use the following test cards to simulate a scenario where tokenization is declined by the issuer.
Card Number | Expiry Date | CVV |
---|---|---|
5120340000000392 | Any Future Date | Any |
5120350100000036 | Any Future Date | Any |
NOTE: Due to the VTS tokenization rules, there is a maximum number of tokens (149) with which a Visa FPAN can be tokenized. This limit is valid for the VTS Sandbox as well as for VTS Production.
Therefore, when reaching that limit, the tokenization request will fail with following error: VTS_CARD_NOT_ALLOWED - tspMessage: The maximum number of tokens has been exceeded for the given PAN
Once the limit of maximum tokenizations is reached, the FPANs can’t be tokenized furthermore.
Related to testing, in order to avoid reaching this limit, you should use the same value for UserData -> accountId field in every request of the Tokenize API.
Please use unique values only to a very limited extent if you need to test token deletion functionality.
If you reach the error limit, you must use a new test PAN.
Card Number | Expiry Date | CVV |
---|---|---|
4622943123040843 | 2025-12 | 858 |
4622943123040850 | 2025-12 | 267 |
4622943123040868 | 2025-12 | 734 |
4622943123041601 | 2025-12 | 270 |
4622943123041619 | 2025-12 | 583 |
4622943123041627 | 2025-12 | 796 |
4622943123041635 | 2025-12 | 121 |
Any other PAN can be used for the non-eligible case.
As Elo currently does not allow tokenization of the same card twice, no permanently working test pans can be provided from eCOM side.
However, you can generate your own card PANs with the following test BIN range: 85051692
In order to generate a valid PAN, you must add a random 5-6 digit part to the test bin range, and add the valid checksum to the end. Therefore the maximum length of a valid PAN is 15 digits. You can generate pans according to the following schema: 85051692 + [0-9]{4, 6} + valid checksum digit
For ELO onboarding a CNPJ must be provided, as described in the onboarding section.
CNPJs for testing must also be created according to the rules of valid CNPJs. Otherwise, onboarding to ELO will fail.
Following frequently asked questions. If there are points or questions not covered, please contact us.
Out-of-the-box: Mastercard, Visa and Elo. Support for other card schemes like CB, JCB, Amex, Discover, DinersClub are either already in development or on the roadmap.
The adoption, i.e. the support of network tokenization by issuers is in the most regions high (more than 50%) resp very high (more than 80%).
The usage of the cryptogram for a Merchant Initiated Transactions (MIT) such as recurring payments is network specific.
The initial transaction for the first payment with the token must be with the cryptogram.
Once approved, the merchant or their PSP needs to store the transaction ID (TID) provided by the payment processor as a response to a successful transaction.
For subsequent MIT transactions, no cryptogram is required. Instead, the TID from this first payment transaction must be provided as well as relevant information about the transaction itself.
The initial transaction for the first payment with the token must be with the cryptogram.
An acquirer must use for subsequent MIT (for recurring/partial shipment payments) Security Level Indicator (SLI) values of 247, traceID from the first initial tokenized payment transaction but a cryptogram is not.
When TOKEN_REFRESH reason is received in the token-updated notification, the subsequent MIT must use the new token value & token expiry date and need to carry the fresh cryptogram.
In addition, you should also send Security Level Indicator (SLI) value 246. Subsequent transactions can revert to SLI value 247 and a cryptogram is no longer required.
Example:
Day X – Agreement transaction with token: SLI 212 + cryptogram + AAV
Day X+7 – First subsequent MIT: SLI 247, no cryptogram, traceID from Day X
...
Day X+10 – Token-updated notification with TOKEN_REFRESH reason
Day X+14 – Subsequent MIT: SLI 246, new token, fresh cryptogram, traceID from Day X
Day X+21 – Subsequent MIT: SLI 247, new token, no cryptogram, traceID from Day X
Elo requires always a cryptogram to be sent, also in every MIT.
G+D does not store the network tokens, only token references. There is no need to store the tokens, except for recurring payments (MIT transactions).
Network tokenization covers all functions of ABU/account updater plus additional functions like the meta data and represents the most up-to-date approach. Despite the benefits of NT (e.g. no need to run an update twice a month) not all cards/issuers are yet supported. For these cards/issuers it could make sense to continue with the updater service for the time being.
Please check in the API References sections, all response parameters are listed (e.g. tokenReference, tspTokenReference, tokenInfo, cardMetadata etc.) G+D handles the PAN always in encrypted format, i.e. no BIN information is retained.
No negative latency experienced.
Note: Recurring reansactions do not require cryptogram requests, these are handled with same token and cryptogram from initial transaction.
Some benchmarks:
- Network Tokenization involves issuer response -> in the area of
seconds
- Cryptogram request involves G+D and TSP -> in the area of milliseconds.
There are no restrictions from G+D side, but potentially some dependencies on the card scheme TSP side to be considered.
Please note that the G+D service returns in addition to the card scheme agnostic token references, the card scheme specific token reference ID, so there is no risk of a lock-in into the G+D service.