Tokenisation Service Guide 1.4
Tokenisation Service Guide 1.4
Tokenisation Service Guide 1.4
Guide
Version: 1.4
01 April 2022
The material contained in this guide is copyrighted and owned by Global Processing Services
Ltd together with any other intellectual property in such material.
Except for personal and non‐commercial use, no part of this guide may be copied,
republished, performed in public, broadcast, uploaded, transmitted, distributed, modified or
dealt with in any manner at all, without the prior written permission of Global Pr ocessing
Services Ltd., and, then, only in such a way that the source and intellectual property rights are
acknowledged.
To the maximum extent permitted by law, Global Processing Services Ltd shall not be liable
to any person or organisation, in any manner whatsoever from the use, construction or
interpretation of, or the reliance upon, all or any of the information or materials contained in
this guide.
The information in these materials is subject to change without notice and Global Processing
Services Ltd. assumes no responsibility for any errors.
To find out about the steps involved in implementing a tokenisation project, see
Implementing a Tokenisation Project.
For GPS token service configuration options, see GPS Configuration Options.
Document Description
Web Services Guide Provides details of the GPS Web Services API.
EHI Guide Provides details of the GPS External Host Interface (EHI).
Smart Client Guide Describes how to use the GPS Smart Client to manage
your account.
Visa Token Service Guide Describes the Visa token service. Available online at: Visa
Token Service.
Note: You may need to register with an account with Visa and Mastercard to access these
sites.
Device physical
Chip
or virtual Chip
PAN 1234 5678 9112 3456
234 5 6787
– 897 6 5412 DPAN
MR A. TESTER
EMV personalised EMV personalised
data data
Card Manufacturer Card Tokenised device
Tokenisation is increasing the adoption of mobile wallet and other new payment technology
and improving security across the industry. Its use will continue to grow as more merchants
and issuers enable the service.
Both Mastercard and Visa offer a tokenisation service to card issuers. Mastercard offer the
Digital Enablement Service (MDES) and Visa offer the Visa Token Service (VTS); GPS refer to
the Visa service as the Visa Digital Enablement Program (VDEP). GPS supports both of these
tokenisation services.
Note: GPS do not share details of the FPAN or DPAN with Program Managers (GPS clients).
When a card is created on the GPS system, we provide a unique public token that is linked to
the card, and which can be used for queries and services on that card. The GPS public token
is for internal use only between GPS and the Program Manager; it should not be confused
with the payment token created during the tokenisation process described in this guide.
The Token Service Provider (Visa/Mastercard) receives token requests from the Token
Requestor and sends them to GPS for authorisation. There is no direct connection between
GPS and the Token Requestor during tokenisation and GPS does not have the capability to
act as a Token Requestor.
When using mobile wallet token requestors (such as Apple and Android), the Program
Manager (GPS customer) requires a separate commercial agreement with each of the three
parties involved in tokenisation.
For online merchant tokenisation (i.e., for online payments), the card issuer does not need to
have an existing relationship with the merchant.
2 3
1
6 5 4
1. The cardholder enrols their card with a token requestor (either an online merchant or
a mobile Wallet provider).
2. The token requestor requests a new token from the token service provider
(Visa/Mastercard).
3. The token service provider creates the payment token (DPAN), containing EMV and
other card data, to replace the cardholder’s FPAN.
The token service provider sends a Token Activation Request (TAR) to the issuer host
(GPS).
4. GPS decides if token activation can continue, based on the GPS Configuration
Options set up for your programme. (See Token Authorisation Options below.)
5. With GPS approval the token service provider (Visa/Mastercard) activates the new
payment token and sends the newly created token to the token requestor.
6. For an Online Merchant payment token, the token is stored for use on their website.
For a Mobile Wallet payment token, it is installed on the phone for mobile Near Field
Communication (NFC) use.
Note: Your GPS Wallet Usage Group configuration is used to determine the appropriate flow
to trigger2. Most GPS Program Managers implement the approve with authentication flow.
Cardholder authentication is only needed by mobile wallet token requestors (such as Apple
and Android), where the cardholder is present at the time the card is being tokenised.
To authenticate a cardholder during token provisioning, the cardholder is provided with a
One-Time Password (OTP) generated by the token service provider (Visa/Mastercard). The
cardholder enters the OTP value into their mobile app for validation.
The Program Manager decides what delivery options are available to the cardholder for the
OTP. These options can include:
• SMS text message to mobile phone
• Push notification/in-app notification
1 Note that in some circumstances it possible for a Program Manager or issuer to set up rules on Mastercard or
Visa to ignore or overrule the GPS response to a TAR. Please contact the card schemes for details.
2 Your Wallet Usage Group can be viewed in Smart Client. If the token request or is ApplePay, they populate the
request with a score (Wallet device score and Wallet account score), which can be used to determine if further
cardholder authentication is required. See GPS Configuration Options.
Note: GPS currently only sends the OTP via SMS text message directly to the cardholder’s
mobile phone. For all other OTP methods, you will need to deliver the OTP to the cardholder.
The OTP is always sent via EHI, even if GPS also sends an SMS direct to the cardholder. The
OTP can be viewed in Smart Client or retrieved via Web services.
2
1
3
4 8 7
Program Manager
This flow commences after the token has been generated, but further user authentication is
required before it can be used:
1. GPS sends an 85 (approve with authentication) response to the token service provider
(Visa/Mastercard). The response contains a list of cardholder verification methods
(CVMs), based on the configuration of your Wallet Usage Group for your cards.
2. The token service provider sends a list of available cardholder verification methods to
the cardholder.
3. The cardholder selects one of the verification methods shown on their mobile phone
wallet application.
4. The Token Service Provider receives the method selection and sends the one-time
password (OTP) to GPS.
5. GPS always sends the OTP over the External Host Interface (EHI) to the Program
Manager.
6. If the cardholder selected the SMS option and you have requested that GPS send the
message on your behalf, then GPS sends the OTP to the cardholder via SMS.
Push provisioning requires you to share sensitive card data held on your system with the
token service provider (without the cardholder needing to manually enter the PAN details
into their mobile application). The cardholder must be logged into their account (i.e., logged
in to their mobile application) in order to be able to authenticate.
To implement push provisioning, you can either do this directly with the token service
provider or via the GPS-MeaWallet Integration service.
Note: If you are not PCI DSS Level 1 compliant, you will not be able to do push provisioning
directly, as this requires obtaining sensitive card data, such as the PAN. In this case, you can
use the GPS-MeaWallet Integration service.
If you are managing the push provisioning process directly, some integration work with the
token service provider (Visa/Mastercard) is required during the implementation phase of the
project: you must exchange a pre-shared key with the token service provider; see Exchange
of Keys. This key is then used to encrypt the sensitive card data which is passed to the token
requestor and finally for the token service provider to decrypt.
At this point the tokenisation flow will begin.
3 You must provide GPS with the SMS text message to send to the customer. This message can contain dynamic
fields. For details, check with your Implementation Manager. GPS always sends the SMS to the phone number
linked to the card on our systems (note that this may not be the same as the device which is being tokenised).
The incoming token activation request (TAR) sent to GPS also confirms whether Push
Provisioning has already been completed. In this case, GPS has a configurable option to
return an approve or decline decision to Visa/Mastercard without requiring further
authentication.
It is important that this override of the authentication response is enabled for your program,
otherwise GPS may respond with a request to authenticate a cardholder who has already
been authenticated, which will lead to a poor customer experience and may fail Token
Requestor live testing.
This integration enables MeaWallet to retrieve the PAN and other relevant card data directly
from the GPS platform. MeaWallet then encrypts the card data and sends the encrypted
payload to your cardholder’s mobile phone application to pass to the token requestor and
then to the token service provider (Visa/Mastercard).
During the project implementation phase, pre-shared keys are exchanged between
MeaWallet and the token service provider, allowing MeaWallet to encrypt and token service
provider to decrypt the card data. The Program Manager and token requestor do not have
access to the keys.
MeaWallet provide a software development kit (SDK) to support their solution. For details,
see the MeaWallet website.
2 3
1
5 4
Mobile Phone
Cardholder Account App Issuer Host
MeaWallet (Push
(GPS)
6
Provisioning)
1. The cardholder confirms the card to be added to their mobile phone application for
your service.
2. Your mobile phone app requests encrypted card data for push provisioning from MeaWallet.
3. MeaWallet requests the card data (PAN, expiry, CVV2) from GPS.
4. GPS returns the card data to MeaWallet.
5. MeaWallet encrypts the data and returns it to the mobile phone app.
6. The encrypted data is passed to the token requestor (e.g., Apple and Android).
7. The token requestor sends the encrypted data to the token service provider.
8. The token service provider decrypts the card data and starts the token provisioning flow.
You will also need to enable online merchant Token Requestors. You do not require a pre-
existing relationship with the merchant. Since merchants replace the live PAN with a token,
you do not need to store the PAN. The merchant sends only the token to the Token Service
Provider who maps it back to the real PAN before sending to GPS. This is done to improve
card data security.
In October 2020, Visa launched the Visa Cloud Token Framework (CTF). This product is a
precursor to supporting the EMVCo Secure Remote Commerce (SRC) functionality 5. SRC aims
to introduce a common e-checkout experience that cardholders will trust, called Click to Pay.
CTF allows online Merchant Token Requestors to bind their previously created Card On File
(COF) tokens with devices which they can authenticate belongs to their customer. The device
binding process allows merchants to directly authenticate that the cardholder owns the
device they are paying from.
How does it work?
The Online Merchant Token Requestors creates a COF token through the standard Token
Provisioning flow (Green flow, without Authentication).
The token can then be bound to a device. During binding, the Online Merchant Token
Requestors usually requires cardholder authentication, by sending an OTP to the cardholder.
This cannot be done by push notification through an app (this is against the Visa rules and
OTP standard). Methods such as SMS are still valid.
4
Card on File (COF) is also referred to by Mastercard as MDES for Merchants.
5 Precursor to Visa Secure EMVCo data.
1 2
3
6
Personalisation can either be done on the device or SIM card (known as Secure Element
tokenisation) or in the cloud using Host Card Emulation (HCE).
• Apple Pay, which has access and control of the device and has pre-installed EMV
chips that can be personalised, uses Secure Element (SE)
• Android, which is an operating system installed on various devices owned by other
companies, uses HCE6.
Other Mobile Wallet token requestors vary between SE and HCE and it is their decision which
option is implemented. GPS can support both SE and HCE mobile wallet token requestors.
The data from the personalised device is transmitted to the Point of Sale (POS) terminal
during an in-store transaction. The POS terminal then formats this into an authorisation
request, which does not contain the real PAN, but uses the device token. This authorisation
request is sent to Visa/Mastercard who maps the token back to the PAN before sending on
to GPS.
Visa/Mastercard Stand-In Processing
When setting up your programme configuration options on Visa or Mastercard, you must
specify that they do not authorise Tokenisation Approval Requests (TARs) on behalf of GPS.
A TAR must always be generated by the token service provider and approved by GPS 7. GPS
declines transactions on tokens that do not exist on the GPS platform.
6 An EMV program on the Android device manages transactions and communi cates with a secure cloud host card
emulator, where the keys for use for a transaction are generated.
7 In scenarios where Visa/Mastercard can do Stand -In processing (STIP), they must not have any settings for your
programme that pre-approves a tokenisation approval request (TAR); this must always be generated by the Token
Requestor. If GPS does not receive the TAR, we will decline transactions on the token.
1 2
3
6
8
The POS terminal treats the data received from the device in exactly the same way as data transmitted from a
normal contactless card.
1 3
2
5 4
Note: GPS receives around 100-200 new Token Requestor updates a month from Visa.
Mastercard add them to their generic MDES for merchant 3-digit token requestor code, so
we do not need to update.
Note: Please ensure GPS are involved in helping you complete the documents listed below.
You must complete the GPS Digital Wallet Product Set Up Form (PSF) to confirm your
tokenisation service configuration options. For details, see GPS Configuration Options.
If you want to receive tokenisation messages via the GPS External Host Interface (EHI), in
your Product Setup Form (PSF), ensure you tick the option to enable TAR transaction types.
For details, see the EHI Guide.
Mastercard provide a Mastercard Test Facility (MTF), which can be used to test your MDES
integration. MTF connects to the GPS test environment. You can add your phone to MTF to
send test tokenisation messages to GPS. Please contact Mastercard to enable this service.
Visa provide a test service sandbox, which can be used to test outbound calls. For details,
please contact Visa.
Note: Some integration work may be required on your end to integrate to the Mastercard or
Visa test services. Many GPS clients prefer to complete tests in the production environment.
Note: If you require non-standard functionality, you will need to raise a separate GPS project
(development work is required). Check with your account manager for details.
You then need to set up a payment token usage wallet group for each Token Requestor. See
the example in Figure 10 below.
Note that all COF Token Requestors are grouped into one payment token usage wallet group
for ease of configuration.
For details of the fields in the Digital Wallet Product Set Up Form, see GPS Configuration
Options.
Note: Online Merchant Token Requestors are provided as a single group (called
MRCHTOKEN), so you cannot set different token logic for individual online merchant token
requestors.9
General Options
Group Usage The default usage group that If you want any different functionality for
should be assigned to the transactions on payment tokens than
wallet. your existing physical or virtual cards,
then specify a different usage group
(set at Payment Token
Usage Group level) here to be used just for tokens. 10
Artwork The reference that GPS should For Static card art: Leave blank (for Visa)
return to Visa/Mastercard for or add a Mastercard reference.
T&Cs and card art.
For Dynamic card art: Leave blank.
Dynamic Whether the artwork is If dynamic, select Yes. When you send
dynamic GPS a create card request (using the
For details, see Dynamic vs. Ws_CreateCard web service) GPS will
Static Card Art pass the contents of the ProductRef field
to Visa/Mastercard.
Default The default response that GPS Set to approve if you have scenarios
Decision should provide when a TAR where you want to approve a TAR
arrives. without authentication 11.
If you always want to authenticate the
cardholder then set to authenticate.
Set to decline if you are setting up a
decline-only group. These groups are
9
MRCHTOKEN is also referred to as M4M (by Mastercard) and Card on File (by Visa).
10 Example, to prevent payment tokens to be used for ATMs with NFC enabled, or tokens to be used overseas.
11 Not applicable for Push Provisioning. Please see the setting for “Override approve-with-auth to Approve for in-
app provisioning” for further information on how to correctly set up push provisioning for Wallet Provider testing.
CVV2 Missing The response code that GPS For Mobile Wallet tokenisation, set to
should return if the CVV2 is approve or authenticate depending on
missing from the TAR. your risk appetite.
For the MRCHTOKEN wallet provider,
this should be set to approve.
Note: Online merchant token activation
requests must not decline for missing
CVV2.
AVS Missing The response code that GPS For Online Merchant tokenisation, this
returns if address data is should be set to approve.
missing from the TAR. For Mobile Wallet tokenisation, set to
approve or authenticate depending on
your risk appetite.
Wallet The action GPS should take if Set to Approve, Authenticate or Decline
Decision the incoming TAR from the depending on your risk appetite and the
Decline token requestor recommends cardholder journey requirements.
decline.
Wallet Device The default score that GPS These scores are often missing (since
Score Default should assign if there is no many Token requestors do not provide a
device score on the incoming score).
TAR. The default is 3, but you can set a higher
or lower threshold, depending on your
risk appetite. See Wallet Device and
Account Scoring.
Wallet The default score that GPS These scores are often missing if the
Account Score should assign if there is no Token requestor is not Apple.
Default account score on the
The default is 3, but you can set a higher
incoming TAR. or lower threshold, depending on your
risk appetite.
Wallet Device The maximum device score The default is 3, but you can set a higher
Score Max required to trigger the or lower threshold, depending on your
Auth Authenticate flow. Device risk appetite. See Wallet Device and
scores are between 1 and 5. Account Scoring.
Wallet The maximum wallet score to Usually set to 3 but you can set higher or
Account Score trigger the Authenticate flow. lower threshold depending on your risk
Max Auth Wallet scores are between 1 appetite.
and 5.
Override-with- GPS can identify TARs where Always set Override Enabled for a better
auth to push provisioning has been customer journey. If it is not enabled the
Approve for used. In these requests the cardholders will often need to
in-app cardholder has already been authenticate twice.
provisioning authenticated so this option
The override is required to pass Apple
allows you to prevent a
testing.
request for further
authentication to be sent.
Override Whether to override the Select Yes if you want different settings
Activation and Payment Token Usage specific to your Payment Token Usage
Notification Group settings Wallet Group.
Settings
If you select No, then leave the Activate
and Notify options blank.
Activate: Call The number to call if you want Leave blank for no call centre, otherwise
Centre Tel cardholders to be able to enter the phone number that GPS
Number telephone a call centre to should return to the token service
activate their payment token. provider. If you need different call centre
numbers for different groups of
12For Mastercard, GPS do not receive the full authentication data to support this option. We also highly
recommend you do not enable for Visa as this may lead to a poor custome r journey (where the token is declined
and the terminal prompts to insert a card).
Activate: The reference GPS should Leave blank for no mobile app,
Mobile App send to the cardholder if you otherwise enter the reference that GPS
Reference want cardholders to be able should return to the token service
to activate their payment provider.
token in the app.
Activate: URL cardholders use to Enter the website URL you want
Website URL retrieve an OTP. cardholders to go to for their OTP.
Activate Email Whether to activate email as This option is required if you want email
an OTP delivery option to be returned to the cardholder as an
option for authentication; note that GPS
will not send the email directly to the
cardholder and your systems will need to
implement this: you can retrieve the
OTP from EHI and handle with your own
messaging and branding.
If you are interested in GPS sending
emails directly, please raise with your
Account Manager.
Activate SMS Whether to activate SMS as If you want to send your own SMS, then
an OTP delivery option. enable this parameter, but do not
configure a message.
Activate Call- Whether to activate call-back GPS does not handle call-backs directly
back as an OTP delivery option with a cardholder. If you want to provide
this option, then your systems will need
to retrieve the OTP from EHI and call
your cardholder directly.
Note: For GPS to return an Approve response code for a TAR (Green flow), all checks based
on configuration and card must be approved. If only one check returns an authentication
decision, then GPS will request authentication (yellow flow) 13; if only one check triggers a
decline then GPS will decline (red flow).
13 Excludes authentication for push-provisioned token requests, which only allow approve or decline responses.
Online Merchant token Set payment token wallet groups to approve for Online
activation requests should not Merchant Token Requestors. See GPS Configuration
require user authentication. Options.
Do not enable Notifications for Create a separate payment token wallet group for the
Online Merchant token MRCHTOKEN Wallet provider, then ensure that the
provisioning Notify SMS, Notify Email and Notify Post fields are
disabled. See GPS Configuration Options.
Note: You must not send any text messages or any
notifications to your cardholders for Online Merchant
token provisioning. This should not be visible to the
cardholder.
Visa Only
Online merchant authentication Ensure the field Activate: Mobile App Ref is left blank
options must not include a for the Online Merchant Payment Token Usage Group.
reference to a mobile app.
Mastercard Only
Do not enable Mastercard This is a setting for your program on the Mastercard
automatic approval with Portal. You should disable the configuration option
authentication.14 that enables Mastercard to override a GPS approve
response with an approval with authentication.
14 In this scenario GPS will not be able to provide the card verification methods (CVM).
It is also possible to change a card’s usage group via Smart Client. For more information, see
the Smart Client Guide.
For static artwork, GPS take the reference from your payment token wallet usage group. For
dynamic artwork, GPS take the reference from the ProductRef field.
Note: the card art reference (ProductRef field) should be the same for both Visa/Mastercard
and your Card Manufacturer.
You can use this score to determine how you want GPS to respond to the Token Activation
Request (TAR).
Example GPS Settings
What is the maximum number which triggers approve with authentication (yellow flow)?
Wallet Device Score Max Auth = 3
If a device score of 4 is received, then GPS approves. If a device score of 3 is received, then
GPS approves with authentication. If a device score of 1 is received, then GPS declines.
Note: We recommend that DPAN over FPAN status should not be enabled for Card on File
token requestors. This should only be used for device-based tokens through wallet providers
such as Apple and Android.
If the DPAN over FPAN setting is enabled, then the DPAN status set using the
Ws_Payment_Token_StatusChange web service can be overridden in an authorisation by the
FPAN status that is set using the Ws_StatusChange web service.
This feature enables you to use a single web service, Ws_StatusChange, to set the statuses of
both the FPAN and DPAN.
Note: Do not use status code 41 if temporarily blocking a DPAN, since the Card Schemes
treat this as a permanent status. We recommend you use status code G1 instead, as this
status is reversible.
Note: You do not need to exchange a key with Visa/Mastercard for push provisioning if you
are using the Push Provisioning with MeaWallet service.
Note: If you want to receive tokenisation messages via the GPS External Host Interface (EHI),
in your Product Setup Form (PSF), ensure you tick the option to enable TAR transaction types.
For details, see the EHI Guide.
EHI is required when using the tokenisation service if you want to send the One Time
Passcode (OTP) message used during the tokenisation process directly to your cardholder
(see the Approve with Authentication flow). Although this can be retrieved via Smart Client
or Web services it is harder to automate processes using these services.
The tokenisation flow contains its own 6-digit specific processing codes (ProcCode in EHI),
which can be used to identify any EHI messages relating to tokenisation. Refer to the table
below.
320000 Token Eligibility Request (TER) Not used by Mastercard. Used for issuers
who can't respond to the TAR in time.
340000 Activation Code Notification (ACN) Contains the OTP delivery message.
For details of the EHI message fields related to tokenisation and an example of a TAR
message, see Appendix C: EHI Tokenisation Fields.
For examples of the different types of tokenisation messages available via EHI, please refer to
the EHI Guide.
15 If you do not want to enable EHI, but still want to pursue a tokenisation implementation, please contact your
Account Manager to investigate the feasibility of GPS providing data for Apple reporting in another format.
Note: All EHI messages in the Token Provisioning flow (TAR/TEN/TCN) are advices only. This
means that for all EHI modes you are not able to authorise TAR, TEN or TCN advices. You can
use these messages to confirm to the cardholder the tokenisation status. They should never
be used for payment authorisation approval or decline decisions.
Figures 11-14 below describe the Visa and Mastercard messages that are received for token
provisioning requests. Note that since these are asynchronous messages, it is possible they
may arrive out of sequence.
Program
Mastercard GPS
Manager
16
ISO 8583 is the message format used for authorisation messages passed between Visa/Mastercard
and GPS.
Program
Mastercard GPS
Manager
Program
Visa GPS
Manager
Check Eligibility
1
Return ProfileID
1. Visa sends a message to GPS to check if the PAN is eligible for tokenisation.
GPS returns the Profile ID (if applicable) so that the token response displays the
correct card art and T&Cs on the cardholder’s mobile device screen.
2. Visa sends an 0100 Token Activation Request (TAR) to GPS.
3. GPS returns an Approve response to Visa.
GPS forwards the TAR to the Program Manager, via EHI.
4. Visa sends an 0620 Token Event Notification (TEN) to GPS, to indicate the token has
been created.
GPS forwards the TEN notification to the Program Manager, via EHI.
5. For a token that is bound to a device, Visa sends an 0620 Token Event: Token
Complete Notification (TCN), to indicate the token has been provisioned onto the
device.
GPS forwards the TCN notification to the Program Manager, via EHI.
Note: This flow is only relevant to tokens that are bound to a mobile phone or other device.
Program
Visa GPS
Manager
Check Eligibility
1
Return ProfileID
1. Visa sends a message to GPS to check if the PAN is eligible for tokenisation.
GPS returns the Profile ID (if applicable) so that the token response displays the
correct card art and T&Cs on the cardholder’s mobile device screen.
2. Visa sends an 0100 Token Activation Request (TAR) to GPS.
3. GPS returns an Approve with Authentication response to Visa.
GPS forwards the TAR to the Program Manager, via EHI.
4. Visa sends an 0620 Token Event Notification (TEN) to indicate the token has been
created (the token is not yet active)
5. Visa uses the Get CVM API to retrieve a list of available cardholder verification
methods (CVMs) for this token from GPS (i.e., methods such as SMS).
6. Visa uses their Send Passcode API to send the passcode and the user-selected
cardholder verification method to GPS.
GPS sends an Activation Code Notification (ACN) to the Program Manager, via EHI.
The ACN contains the authentication passcode (One-time password) and user-
selected verification method.
Note: Some Mobile Wallet token requestors require you to confirm to cardholders when the
tokenisation process is complete or to follow up with cardholders when tokenisation has not
been completed.
The Token Complete Notification (TCN) sent over EHI currently indicates when the device is
successfully provisioned. In some cases, later Token Event Notifications (TENs) can arrive
once the cardholder is authenticated and Visa has activated the token, which represent the
actual end of the token provisioning flow.
The section When to notify cardholders tokenisation is complete below describes how you
can identify the end of the tokenisation flow.
For Visa, currently the Token Completion Notification (ProcCode 350000) only represents the
end of the tokenisation flow for Green Flow Device Tokenisation. Visa send a 620 message
to indicate that the token is active. GPS then send a Token Complete Notification (TCN)
where the paymenttoken_creatorStatus = A (active). For details, see Appendix D: Visa
Tokenisation Messages.
Note: If you become aware of a recent change in the Apple or Android requirements, please
contact your Account Manager or Implementation Manager before testing begins so GPS
can review.
17
For example, if you replace a card with a token, change the payment token status, regenerate a card
image or renew an expired card.
1 2
4 3
6 5
1. The Program Manager uses the GPS web service to change the token status on the
GPS platform.
2. GPS sends a request to Visa to update payment token status on their systems.
3. Visa responds with the token status update result.
4. GPS confirms the status update in the web service response and via EHI.
5. Visa sends a Token Event Notification (TEN) with the status change.
6. GPS confirms the status update via EHI.
Note: Visa sends a confirmation of token status update via the ISO 8583 message service
which GPS forwards to you via EHI. This token status update may be initiated via web
services or via the cardholder from their device.
5 4
1. The Program Manager uses the GPS web service to change the token status on the
GPS platform.
2. In the web service response, GPS confirms the update (which applies to the GPS
platform only).
3. GPS sends a request to Mastercard to update payment token status on their systems.
(Note that this is only done once every four hours and is not in real-time.)
4. Mastercard sends a Token Event Notification (TEN) with the status change.
5. GPS confirms the status update via EHI.
If a card is expiring, you can request a replacement card using the Card Renew web service
(Ws_Renew). Once the replacement card is ready it can be activated using the web service
Ws_Activate.
• For Visa, GPS send an API to the Token Service Provider in real-time informing them
of the new PAN, CVV2 and Expiry which will then be passed to the Token Requestor.
• For Mastercard, GPS queue and send a batch update file, every four hours.
If you want to remove a device binding from a Card on File token (for example if your
cardholder has reported their device as stolen) then you can use
Ws_Token_Device_Management. This triggers a real-time API call to the Token Service
Provider. An approval action code (000) means the request has been successful on both GPS
and Token Service Provider platforms. A failed response means that neither platform has
been updated.
If set to 0 = never authenticate or decline (use this if you do not want GPS to use any of this
logic).
Default Score
These options indicate what default score should be provided if no score is received from the
Wallet Provider in the incoming TAR message. (Currently only Apple provide a device score)
Wallet Device Score Default 3
Wallet Account Score Default 3
6. The screen shows the payment token details supplied by MDES/VDEP, along with the
decision process information. The One Time Password value is shown in the Activation
Code field.
7. Once provided to the cardholder, they should be able to enter this into their Wallet app
to authenticate.
Field Description
Note: Empty fields have been removed from this example. Field highlighted in yellow
provide the tokenisation information.
<?xml version="1.0" encoding="UTF-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<GetTransaction xmlns="http://tempuri.org/">
<Acquirer_id_DE32>06001234</Acquirer_id_DE32>
<ActBal>0.00</ActBal>
……..
<MCC_Code>6012</MCC_Code>
<MCC_Desc>Financial Institutions</MCC_Desc>
<MCC_Pad>0.00</MCC_Pad>
<Merch_ID_DE42>400425000000001</Merch_ID_DE42>
<Merch_Name_DE43> Visa Tokenisation System Foster City US </Merch_Name_DE43>
<Proc_Code>330000</Proc_Code>
<Resp_Code_DE39>00</Resp_Code_DE39>
<Ret_Ref_No_DE37>102300045678</Ret_Ref_No_DE37>
……….
<Txn_Desc>Visa Provisioning Service GB</Txn_Desc>
<Txn_GPS_Date>2021-03-18 15:08:14.650</Txn_GPS_Date>
<TXn_ID>1250779057</TXn_ID>
<Txn_Stat_Code>A</Txn_Stat_Code>
<TXN_Time_DE07>0318150814</TXN_Time_DE07>
<Txn_Type>A</Txn_Type>
<Additional_Data_DE48 />
<Authorised_by_GPS>Y</Authorised_by_GPS>
<AVS_Result>Y</AVS_Result>
<CU_Group>TST-CU-001</CU_Group>
<InstCode>TST</InstCode>
<MTID>0100</MTID>
<ProductID>5877</ProductID>
<Record_Data_DE120 />
<SubBIN>45967201</SubBIN>
<TLogIDOrg>0</TLogIDOrg>
<VL_Group>TST-VL-001</VL_Group>
<Dom_Fee_Fixed>0.00</Dom_Fee_Fixed>
Tip: When you get a message with payment token status of A, this means the token is active
and ready to do transactions and should be the last message in the flow.
For a mobile wallet: Look for this information in the following EHI fields to identify the
message flow and what you need to do.
2 SE or CL 360000 00 A 71
(TEN)
18
These are used by e-commerce merchants who tokenise PANs for storage (e.g. Netflix) and
the cardholder is not necessarily present so would be confused by a message confirming
tokenisation and likely to consider it fraudulent.
Scenario 3: Mobile Wallet Token Requests Yellow flow with successful authentication
Message PaymentToken ProcCode Resp_Code PaymentToken Message Comments
Order _Type _DE39 _creatorStatus _Why
Activation Code
3 SE or CL 340000 00 I 0
Network
(ACN) Message.
Contains the OTP
to verify the
cardholder.
4 SE or CL 350000 00 I 72 In yellow flow –
(TCN) do not send
messages using
the TCN.
Tip: When you get a message with payment token status of A, this means the token is active
and ready to do transactions and should be the last message in the flow.
19
These are used by e-commerce merchants who tokenise PANs for storage (e.g. Netflix) and
the cardholder is not necessarily present so would be confused by a message confirming
tokenisation and likely to consider it fraudulent.
Scenario 4: Mobile Wallet Token Requests with Yellow flow with unsuccessful
authentication
Message PaymentToken ProcCode Resp_Code PaymentToken Message Comments
Order _Type _DE39 _creatorStatus _Why
Your Mobile App can use an iOS API to view cards you’ve issued that have been provisioned
onto the Apple device. You can use the Apple API to present your customer with their
chosen card for payment. The cardholder can then provide consent for the transaction using
Touch ID / Face ID or a passcode to make a payment. Upon completion of the payment, the
cardholder is automatically returned back to your Mobile App.
Note: Apple require certification to use their service, which must be done directly with them.
For further information, please refer to the Apple document: Functional Requirements Direct
NFC Access and Apple Pay.
For more information on Apple Pay services for developers, see the Apple Pay Developer
Website.
Token provisioning requests that are flagged as Apple Orange Flow and/or a Device Score =
1 indicate that more rigorous authentication of the cardholder is required. See Apple Pay
Orange Flow below.
Note: GPS currently does not support Apple Pay orange flow additional authentication
checks. For options and workarounds, please discuss with your GPS Account Manager.
Orange is represented by the Apple reason code “0G” and is triggered when Apple’s account
or device history infers an elevated statistical probability of fraud. From a GPS perspective,
the transaction is identified by device score =1 (i.e., highest risk). Any provisioning request
with device score = 1 is treated according to the GPS Red Flow and is declined.20
20
If you do not want GPS to use the device score, you can set the value to 0 (never authenticate or decline).
When replacing a card, you should always use the Card Renew (Ws_Renew) web service. For
details, see the Web Services Guide.
Once the new card is activated, the update to the FPAN/DPAN details will be immediate for a
Visa token and will be added to the next batch file cycle for a Mastercard token.
Alternatively, if you are using Mastercard, you can log on to Mastercard’s MC Connect >
MDES Portal and make the changes directly once the card is renewed.
This must be enabled to pass Apple testing and is a good cardholder journey for other token
requestors. See GPS Configuration Options.
Q. What is the difference between VTS and VDEP?
They both refer to the same service. VTS is the Visa Token Service and VDEP is the Visa
Digital Enablement Programme. You are required to sign a VDEP agreement with Visa when
starting a new Visa Token Service integration.
Since VTS is also an abbreviation for the Visa Test Simulator (VTS), we use the term VDEP to
avoid confusion.
Q. What’s the difference between a Token and a Payment Token?
GPS refer to the 9-digit public token for use on GPS systems as the Token or Public Token
and the digitised tokens from the schemes is called a Payment Token.
Q. What’s the difference between a Token Requestor and a Wallet Provider?
These are used interchangeably between the schemes however Visa will more often use Token
Requestor and Mastercard use Token requestor. Because the Mastercard Digital Enablement
Service (MDES) was integrated first at GPS you will often see references to token requestor.
Q. What is the difference between an FPAN and a DPAN?
These are Apple terms to specify which PAN is being discussed as following tokenisation there
are two PANs for one card. The FPAN is the Funding PAN and refers to the original PAN on the
card and the DPAN is the Device PAN and refers to the PAN personalised onto the device.
Q. Does GPS know the DPAN?
Yes. GPS receives and stores the DPAN during the provisioning process and validates it
during subsequent transactions on that DPAN. IF GPS does not receive the DPAN then it will
decline transactions.
BL O B Binary Large Object file. A blob is a data type that can store
binary data. It can be used to store images or other multimedia
files.
CO UNTER A counter under the PSD2 rules is used to track the number of
transactions and cumulative amount before the cardholder is
requested to authenticate using Strong Customer
Authentication (SCA): for example, via PIN for a card or via 3D
Secure authentication for an online transaction.
CVV2 The Card Verification Value (CVV) on a credit card or debit card
is a 3-digit number on Visa, MasterCard and Discover branded
credit and debit cards. Cardholders are typically required to
enter the CVV during any online or cardholder not present
DEVICE SCORE The score applied by the wallet provider defining the level of
satisfaction the wallet provider has in the request being a
genuine cardholder attempt, based on the wallet providers
internal fraud parameters.
DPA N Device PAN. The PAN value set up on the cardholder’s device.
This is not visible to the cardholder, but is the PAN used for the
transactions as far as the merchant is concerned.
FPA N Funding PAN. The true 16-digit PAN of the card, which
Mastercard/Visa converts when authorisations come through to
them from Acquirers on the DPAN.
PA YMENT TOKEN GPS term for a MDES/VDEP token. This is used to differentiate
between a GPS public token and a MDES/VDEP token. GPS use
this in EHI and web service calls to identify a particular DPAN
PA YMENT TOKEN The default set of parameters GPS will use to authorise a TAR.
USA GE
PA YMENT TOKEN The token requestor specific set of parameters GPS will use to
USA GE WALLET
authorise a TAR.
PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is
an information security standard for organisations that handle
credit cards from the major card schemes. All Program
Managers who handle customer card data must be compliant
with this standard. See:
https://www.pcisecuritystandards.org/pci_security/
P O INT O F SALE (POS) A hardware device for processing card payments at retail stores. The
TERMINAL device has embedded software that is used to read the card’s
magnetic strip data.
PRO GRAM MANAGER A GPS customer who manages a card program. The program manager
can create branded cards, load funds and provide other card or
banking services to their end customers.
PUBL IC TOKEN The GPS 9-digit token is a unique reference for the PAN. This is
used between GPS and clients to remove the need for GPS
clients to hold actual PANs.
SMA RT CLIENT Smart Client is GPS's user interface for managing your account
on the GPS Apex system. It is also called Smart Processor GPS.
Smart Client is installed as a desktop application and requires a
VPN connection to GPS systems in order to be able to access
your account.
TO KEN SERVICE The entity who stores the mapping between the PAN and the
PRO VIDER (TSP) token. With the existing GPS integration this would be Visa or
Mastercard.
VISA CLOUD TOKEN The function that allows online merchant token requestors to
FRA MEWORK bind their existing COF token to a device. This product is
designed to improve security and reduce friction at checkouts.
VTS Visa Token Service. The Visa product name for tokenisation.
GPS refer to this service as the Visa Digital Enablement Program
(VDEP).
YEL L OW FLOW This is an Apple term for a Token Provisioning request that is
approved, but with a request for further authentication.
1.3 9/08/2021 New advice on Status Codes to use for Card Blocks WS
Updates to diagram and description in Section 7.1.4
25/08/2021 Message flow for Visa Token Provisioning (Yellow
Flow)
Note added to section 7 Token Provisioning Message
03/09/2021
Flows to highlight that tokenisation messages receive
via EHI are advices only and should never be used for
payment authorisation approval or decline decisions.