Visa Token Service (VTS) is an innovative security feature provided by Visa. After the customer performs their first successful payment on your site, it replaces the customer’s card number stored on our system with a unique identifier called a token. When the customer returns to your site to make new purchases, the token is used in place of their sensitive payment credentials, reducing the risk of their data being compromised.
Tokenization is based on the EMVCo payment tokenization standard and aligns with EMV1 technology (the global standard for secure payments). By participating in tokenization, processing e-commerce transactions comes with minimal risk of fraud, because the technology greatly reduces the likelihood of sensitive payment credentials being exposed. Furthermore, tokens can be limited to a specific mobile device, merchant or number of purchases (say, a limit of 5) before expiring.
To enable VTS on your site reference, you will need to contact our Support Team and request this feature is enabled. Once enabled, tokenization will automatically be attempted for all successfully-authorised transactions processed with Visa-branded cards. This process requires no additional configuration.
- If tokenization attempt is successful, all future transactions with this card will instead be processed with the token instead of the customer’s sensitive card details.
- If tokenization attempt is unsuccessful, all future transactions with this card will be processed using the customer’s sensitive card details (as with a standard non-tokenized payment). However, we will attempt to generate a Visa Token (to tokenize the card details) on these subsequent re-authorisation requests providing they are authorised successfully.
About URL notifications for VTS
You can update URL notifications to identify transactions as processed using a token. To do this, go to the Action and add the following custom fields:
When receiving a URL notification, transactions processed using a token can be identified when tokenisedpayment=1 and tokentype=VISATOKEN. For tokenised payments, the walletdisplayname contains the last 4 digits of the card number associated with the token.
To configure URL notifications, you will need to use the MyST Rule manager. Click here to learn more.
Processing future payments using token
When a customer’s card has been tokenized using the process described above, if you process a re-authorisation using MyST, the token will be used in the new authorisation request in place of the customer’s card details (this happens automatically).
You can quickly identify transactions processed using a token by viewing the details in MyST, by checking the value of the Tokenised payment is set to “1”. The Token source type field is used to identify the type of token used for this payment “VISATOKEN”, as shown in the example below:
Note that with tokenized payments, the Card number refers to the unique token number. The last four digits of the customer’s card number can be found under the Wallet details section, by the Wallet display name field, as shown in the following example:
Alternatively, if you want to use our Webservices API to process new transactions using the token, your system can process a new AUTH request that references the stored token. Click here to learn how.