Overview
Card schemes create network tokens as secure, non-sensitive substitutes for sensitive card data such as the primary account number (PAN), tailored to each merchant. Tokenization protects card details by using these unique tokens instead of actual card data.
Most transactions also use a cryptogram – a one-time encrypted element uniquely generated for that specific transaction. This cryptogram, created by card networks, authenticates and secures the transaction by binding it to the network token, allowing only authorized payments. Without a matching cryptogram, even a valid network token becomes unusable, ensuring unauthorized use is prevented if a token is compromised. This design emphasizes cryptograms as an essential layer of dynamic security, safeguarding each transaction individually.
Nuvei supports network tokenization by securely gathering and storing these tokens from Visa and Mastercard, allowing transactions to be processed safely without transmitting sensitive card information, ensuring a higher level of security and data protection.
Nuvei also provides our own Nuvei Gateway (GW) tokenization.
To perform transactions with network tokens, you can use one of the following methods:
- Nuvei provisions and collects the network tokens – Does not require any additional integration by the merchant.
The process seamlessly integrates with your existing payment flow. Nuvei automatically substitutes card details with network tokens as needed. When Nuvei retrieves the network token, the basic tokenization flow is:
- The merchant provides the network tokens – Involves integration steps, but enables the merchant to leverage tokens it already has and collects. When the merchant provides the network token, the basic tokenization flow is:
Merchant Benefits
Improved Security
- Aids in meeting industry standards such as PCI DSS by reducing the storage and processing of sensitive payment data such as card details. Tokenization reduces the merchant’s PCI scope.
- Helps prevent fraud as each transaction is protected with a one-time-use cryptogram.
- Tokenized transactions result in fewer chargebacks and disputes, which increases stability and predictability in cash flows, and increases trust between merchants and cardholders.
Improved Approval Rates
- Card scheme networks maintain and automatically update the network tokens.
Reduced processing cost
- Card scheme networks charge a non-tokenized fee for transactions submitted without a network token.
External Network Tokens
Network tokens, which do not contain sensitive data, can be stored and collected securely by merchants. If a merchant has access to network tokens, they can use them to process transactions with Nuvei.
Merchants using server-to-server REST 1.0 integration can submit the network token, the cryptogram (see the cryptogram requirements below), and the token’s expiration date in the relevant API request. This ensures secure, streamlined transaction processing without handling sensitive card information directly.
Cryptogram Requirements
- Client-initiated transactions (CITs) – Cryptograms are required for Sale and Auth transactions, including non-recurring and initial recurring transactions.
- Merchant-initiated transactions (MITs) – Cryptograms are required for Visa Sale and Auth transactions if the merchant is onboarded to AFT.
Payment (Deposit)
When the merchant provides the network token and the cryptogram, include the following in the /payment request or the /initPayment request:
cardclass containing:expirationMonth– The token’s expiration month.expirationYear– The token’s expiration year.externalTokenclass containing:networkTokenNumbernetworkTokenCryptogram(optional)
Example Non-3DS /payment Request
{
"sessionToken": "<sessionToken from /getSessionToken>",
"merchantId": "<your merchantId>",
"merchantSiteId": "<your merchantSiteId>",
"clientRequestId": "<unique request ID in merchant system>",
"clientUniqueId": "<unique transaction ID in merchant system>",
"amount": "200",
"currency": "USD",
"paymentOption": {
"card": {
"expirationMonth": "12",
"expirationYear": "2025",
"externalToken": {
"networkTokenNumber": "4008370896662369",
"networkTokenCryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU="
}
}
},
"billingAddress": {
"email": "[email protected]",
"country": "US"
},
"deviceDetails": {
"ipAddress": "<customer's IP address>"
},
"timeStamp": "<YYYYMMDDHHmmss>",
"checksum": "<calculated checksum>"
}
Example 3DS /initPayment Request
{
"merchantSiteId": "<your merchantSiteId>",
"merchantId": "<your merchantId>",
"sessionToken": "<sessionToken from /getSessionToken>",
"clientRequestId": "<unique request ID in merchant system>",
"currency": "USD",
"amount": "200",
"paymentOption": {
"card": {
"expirationMonth": "12",
"expirationYear": "25",
"externalToken": {
"networkTokenNumber": "4008370896662369",
"networkTokenCryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU="
},
"threeD": {
"methodNotificationUrl": "<methodNotificationURL>",
"platformType": "01"
}
}
}
}
Example 3D-Secure v2 /payment Request
{
"sessionToken": "<sessionToken from /getSessionToken>",
"merchantId": "<your merchantId>",
"merchantSiteId": "<your merchantSiteId>",
"clientRequestId": "<unique request ID in merchant system>",
"timeStamp": "<YYYYMMDDHHmmss>",
"checksum": "<calculated checksum>",
"currency": "USD",
"amount": "200",
"relatedTransactionId": "<transactionId returned from initPayment>",
"paymentOption": {
"card": {
"expirationMonth": "12",
"expirationYear": "25",
"externalToken": {
"networkTokenNumber": "4008370896662369",
"networkTokenCryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU="
},
"threeD": {
"methodCompletionInd": "U",
"version": "<3D-Secure version>",
"notificationURL": "<notificationURL>",
"merchantURL": "<merchantURL>",
"platformType": "02",
"v2AdditionalParams": {
"challengePreference": "01",
"deliveryEmail": "<email address>",
"deliveryTimeFrame": "03",
"giftCardAmount": "1",
"giftCardCount": "41",
"giftCardCurrency": "USD",
"preOrderDate": "20220511",
"preOrderPurchaseInd": "02",
"reorderItemsInd": "01",
"shipIndicator": "06",
"rebillExpiry": "20200101",
"rebillFrequency": "13",
"challengeWindowSize": "05"
},
"browserDetails": {
"acceptHeader": "text/html,application/xhtml+xml",
"ip": "192.168.1.11",
"javaEnabled": "TRUE",
"javaScriptEnabled": "TRUE",
"language": "EN",
"colorDepth": "48",
"screenHeight": "400",
"screenWidth": "600",
"timeZone": "0",
"userAgent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47"
},
"account": {
"age": "05",
"lastChangeDate": "20190220",
"lastChangeInd": "04",
"registrationDate": "20190221",
"passwordChangeDate": "20190222",
"resetInd": "01",
"purchasesCount6M": "6",
"addCardAttempts24H": "24",
"transactionsCount24H": "23",
"transactionsCount1Y": "998",
"cardSavedDate": "20190223",
"cardSavedInd": "02",
"addressFirstUseDate": "20190224",
"addressFirstUseInd": "03",
"nameInd": "02",
"suspiciousActivityInd": "01"
}
}
}
},
"billingAddress": {
"firstName": "John",
"lastName": "Smith",
"address": "221B Baker Street",
"city": "London",
"country": "GB",
"email": "[email protected]"
},
"shippingAddress": {
"firstName": "John",
"lastName": "Smith",
"address": "221B Baker Street",
"city": "London",
"country": "GB",
"email": "[email protected]"
},
"deviceDetails": {
"ipAddress": "<customer's IP address>"
}
}
Example 3DS /payment Request with Liability Shift
{
"sessionToken": "<sessionToken from /getSessionToken>",
"merchantId": "<your merchantId>",
"merchantSiteId": "<your merchantSiteId>",
"clientRequestId": "<unique request ID in merchant system>",
"timeStamp": "<YYYYMMDDHHmmss>",
"checksum": "<calculated checksum>",
"relatedTransactionId": "<transactionId returned from initPayment>",
"currency": "USD",
"amount": "200",
"transactionType": "Auth",
"paymentOption": {
"card": {
"expirationMonth": "12",
"expirationYear": "25",
"externalToken": {
"networkTokenNumber": "4008370896662369",
"networkTokenCryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU="
},
"billingAddress": {
"firstName": "John",
"lastName": "Smith",
"address": "22 Main Street",
"city": "London",
"country": "GB",
"email": "[email protected]"
},
"deviceDetails": {
"ipAddress": "<customer's IP address>"
}
}
}
}
Example 3DS /payment Request – External MPI
{
"sessionToken": "<sessionToken from getSessionToken>",
"merchantId": "<your merchantId>",
"merchantSiteId": "<your merchantSiteId>",
"clientRequestId": "<unique request ID in merchant system>",
"amount": "200",
"currency": "USD",
"clientUniqueId": "<unique transaction ID in merchant system>",
"paymentOption": {
"card": {
"expirationMonth": "12",
"expirationYear": "25",
"externalToken": {
"networkTokenNumber": "4008370896662369",
"networkTokenCryptogram": "ejJRWG9SWWRpU7I1M28DelozSXU="
},
"threeD": {
"externalMpi": {
"eci": "2",
"cavv": "ejJRWG9SWWRpU2I1M21DelozSXU=",
"dsTransID": "9e6c6e9b-b390-4b11-ada9-0a8f595e8600"
}
}
}
},
"billingAddress": {
"email": "[email protected]",
"country": "US"
},
"deviceDetails": {
"ipAddress": "<customer's IP address>",
"deviceManufacturerIdentifier": "iPhoneX"
},
"userDetails": {
"country": "US"
},
"timeStamp": "<YYYYMMDDHHmmss>",
"checksum": "<calculated checksum>"
}
Payout (Withdrawal)
When the merchant provides the network token, include the following in the /payout request:
cardDataclass containing:expirationMonth– The token’s expiration month.expirationYear– The token’s expiration year.
externalTokenclass containing:networkTokenNumber
Example /payout Request
{
"merchantId": "<your merchantId>",
"merchantSiteId": "<your merchantSiteId>",
"clientRequestId": "<unique request ID in merchant system>",
"clientUniqueId": "<unique transaction ID in merchant system>",
"userTokenId": "<unique customer identifier in merchant system>",
"cardData": {
"expirationMonth": "12",
"expirationYear": "25"
},
"externalToken": {
"networkTokenNumber": "4000020951595032"
},
"currency": "USD",
"amount": "200",
"deviceDetails": {
"ipAddress": "<customer's IP address>"
},
"customData": "",
"timeStamp": "<YYYYMMDDHHmmss>",
"checksum": "<calculated checksum>"
}
Unreferenced Refund
For information about how to perform a refund with an external network token for transactions that were not settled by Nuvei, see Unreferenced Refunds with an External Token.
Last modified October 2024