Tokenization for eCommerce

We have split the eCommerce tokenization process into two steps. Due to the manual entry of the card by the customer, an additional validation step, known as card registration, is required to ensure that only valid cards are tokenized. helps prevent the creation of tokens for non-valid cards. The diagram below illustrates a visual high-level representation of the process.

Image

A High-Level Diagram Illustrating how to create a token while validating a card

  • The diagram above can be seen as a card registration flow, ensuring the token created is from a valid card.
    • Since it’s a non-financial-impact transaction, the process can be performed several times without changing the final result (depending on the domain configuration).
  • The generated token can be stored in the eCommerce application, eliminating the need for storing sensitive card information.

After the card registration, card-validation is performed and a token is created, which can be used instead of the card to perform a payment transaction (see diagram below).

Image

A High-Level Diagram Illustrating how to perform a payment transaction supplying a token instead of a card

Similar flow to Tokenization as a Payment Platform Extension. Once the token is created, it can be used as a replacement for the card.

Alternative

Alternatively, the token can be generated directly by making a call to eAPI-Tokenization. In this approach, card validation occurs during the tokenization process. When a user inputs an invalid card in the eCommerce application, eAPI-Tokenization detects it by calling eAPI-Payments to validate the card during the tokenization process. The diagram below illustrates a visual high-level representation of the process.

Image

A High-Level Diagram Illustrating how to tokenize by calling to eAPI-Tokenization from an eCommerce application

  • The diagram above can be seen as a card registration flow, ensuring the token created is from a valid card.
    • eAPI-Tokenization validates the card against eAPI-Payments using a non-financial-impact transaction. It’s the responsibility of eAPI-Payments to route the transaction to the appropriate Payment processor.
  • Currently, card validation is exclusively supported for OTC cards, which means domains with otc-card as the data scheme.
    • This validation is conducted online, meaning it occurs during the tokenization process, contributing to increased latency in the tokenize call.
    • If the PAN is supplied we’re going to validate it and ensure it’s an OTC card.
    • If the CSC is supplied, to perform the validation of the CSC, we require the PAN and EXP fields to be supplied as well. With the three fields present, we’re going to validate the PAN and CSC of the OTC card.