In the first part of Tokenization we covered the basic understanding of tokenization. In this article, we’ll dive deeper to understand the tokenization based authorization flow.
The following are the steps :
Step 1: Consumer use merchant app in the mobile device to initiate authorization by passing the following key Payment Token data elements to the merchant’s system:
a. Payment Token will be passed in the existing PAN field.
b. Expiry Date of Token will be passed in the PAN Expiry Date field.
c. Token Cryptogram will be generated based on the Token data elements and will be passed in the Chip/Token Cryptogram field.
d. Token Requestor ID will be passed as an optional field.
e. All other data elements will be created and passed following the authorization data standards.
Step 2: The merchant’s system will pass the authorisation request to the Acquirer with all data fields containing tokenization and standard authorization data elements.
Step 3: The Acquirer will perform routine processing checks and pass the Token and the authorization data to the Payment Network.
Step 4: The Payment Network will communicate with the Token Service Provider to:
a. Fetch the PAN.
b. Verify the active PAN mapping in the Token Vault and other checks to ensure Token.
c. Validate the Token Cryptogram and validate the Token Domain Restriction Controls to ensure the channel.
d. Fetch the Token Requestor ID if it’s not provided in the authorisation message.
Step 5: The Payment Network will update the authorization message with following and send it to the authorisation request to the Issuer:
a. Replace Payment Token with PAN.
b. Replace Token Expiry Date with PAN Expiry Date.
c. Add an indicator that conveys to the Issuer that an on-behalf-of validation has been completed by the Token Service Provider of that Payment Token.
d. The following Payment Token-related fields are passed to the Issuer in the authorisation request:
i. Payment Token
ii. Token Expiry Date (Optional)
iii. Token Assurance Data (Optional)
iv. Token Assurance Level
v. Token Requestor ID
vi. POS Entry Mode Code
Step 6. The Issuer completes the account-level validation and the authorisation check, and sends the PAN back in the authorisation response to the Payment Network.
Step 7. The Payment Network may generate a response cryptogram and will replace the PAN with the Payment Token based on the mapping, and will pass the following required fields to the Acquirer as part of the authorisation response, in addition to other standard data elements:
a. Payment Token
b. Token Assurance Level
c. Last 4 digits of PAN
d. PAN Product ID (Optional)
Step 8. The Acquirer will pass the authorisation response to the Merchant.
Step 9. The consumer will be notified of the success or failure of the transaction.
So that’s how an tokenization based authorization flows through the payment channel. Based on the use case (Digital wallet e-Commerce, Card-On-File e-Commerce, NFC at POS etc.) required data elements has to be considered.