eAPI-Tokenization
Introduction
eAPI-Tokenization is a versatile InComm Enterprise API designed to fulfill various tokenization requirements
in compliance with PCI requirements. It serves as a tokenization provider, as an extension feature for
existing payment applications, to integrate with external token providers, offering flexibility and choice to our
clients. It adapts to diverse business cases, including e-commerce, in-store, mobile apps, and more.
Domain
Understanding the concept of a domain is crucial for comprehending the application. A domain is a token
space with certain configuration and rules that indicate how tokens are generated, how tokens expire, and
who can access those tokens.
- Tokens are unique per domain.
- All the tokens within a domain have the same configuration.
- Expiration, we offered different options for token expirations.
- Non-expiration.
- Expiration by a unit of time (e.g. hours, days, months).
- Expiration after a number of usages.
- Format of the tokens, we offer different options for the tokens.
- Tokens can be fully random with numbers, letters, and symbols.
- Tokens can preserve digits and lengths from the original data.
- Domains are unique per Merchant or per Merchant business logic.
- A domain can be set with unicity, which means it always returns the same token value for the same
card. This unique tokenization can be used to track buying patterns, loyalty programs, and protection
against fraud.
To make it clear, the following are examples of domains with common configurations
Domain for format-preserving tokens
- Numeric tokens.
- Preserve the BIN of the card.
- Preserve the LAST 4 of the card.
- Luhncheck validation does not pass.
- Tokens do not expire.
Examples
| Card Number |
Token |
| 4111 1111 1111 1111 |
4111 1134 6126 1111 |
| 3411 111111 11111 |
3411 114618 51111 |
| 5431 1111 1111 1111 |
5431 1197 6316 1111 |
Domain for numeric tokens
- Numeric tokens.
- Tokens are unrelated to the original data (do not preserve digits).
- Tokens expire after one use, one de-tokenization.
Examples
| Card Number |
Token |
| 4111 1111 1111 1111 |
7417562709812456425 |
| 3411 111111 11111 |
1458295037190944343 |
| 5431 1111 1111 1111 |
3427587491028371257 |
Domain for alphanumeric tokens
- Tokens expire in a month.
- Tokens are totally random with numbers and letters.
- Tokens are not related to the original data.
Examples
| Card Number |
Token |
| 4111 1111 1111 1111 |
ed42d479d1e1466f867b3f3f35a487f0 |
| 3411 111111 11111 |
1f5c460b9ceb4372a33f9a3f12ca5102 |
| 5431 1111 1111 1111 |
5542a8b9bd0f4635b49a05828c710592 |
Domain for UUID tokens
- Tokens are in UUID format.
- Tokens do not expire.
- Tokens are not related to the original data.
Examples
| Card Number |
Token |
| 4111 1111 1111 1111 |
7f822bc1-8a1d-456d-8611-0872daaafdfa |
| 3411 111111 11111 |
9b349ac5-dfa1-449e-a555-7155ca51c2dd |
| 5431 1111 1111 1111 |
7307b73c-249d-45b5-878d-44c0c259a76d |
Token providers
The application is designed to be versatile and support multiple token providers, including eAPI-Tokenization
itself. This flexibility allows the Merchant to choose from a range of tokenization options and leverage the
most suitable token provider based on their specific requirements.
Third-party providers
- Token Management Service (TMS, security tokens) from Worldpay (FIS)