Card-On-File E-Commerce Flow

Authorisation - card-on-file e-commerce flow
Note that the Token Service Provider may be located at the Issuer, Payment Network, or a third party

Credit Card-On-File E-Commerce Flow

With credit card-on-file e-commerce flow, an e-commerce Merchant that has payment card data on file in a database seeks to remove the underlying security exposure of storing card data by replacing the PANs with Payment Tokens.

In such scenarios, these e-commerce Merchants will likely be the Token Requestor.

Once Payment Tokens are returned to these Card-on-file Merchants, all subsequent e-commerce transactions that are processed will use the Payment Token and the Token Expiry Date in lieu of the PAN and PAN Expiry Date fields.

The following steps explain the card-on-file e-commerce flow of the standard Payment Token data fields in the authorisation message when a consumer initiates an e-commerce purchase with a Card-on-file Merchant.

1.  The Cardholder logs in with the Card-on-file Merchant and initiates an e-commerce purchase. The Merchant website passes the following key Payment Token data elements to the Merchant platform:

  • Payment Token will be passed in the existing PAN field.
  • Token Expiry Date will be passed in the PAN Expiry Date field.
  • Token Requestor ID will be passed as an optional field.
  • Token Cryptogram will be generated based on the Payment Token data fields and passed (Optional).
  • All other Merchant identifier data will be created and passed (Optional).

NOTE that the Token Requestor ID and related Merchant identifiers will serve as the Domain Restriction Control fields that are to be used to validate the integrity of the transaction.

2.  The Merchant platform will pass the authorisation request to the Acquirer, carrying all the standard Payment Token data fields and any required Merchant-specific identifiers; POS Entry Mode will be set to indicate e-commerce transaction.

3.  The Acquirer will perform processing checks on the data elements, and pass the Payment Token data fields including Token Cryptogram to the Payment Network.

4.  The Payment Network will interface with the Token Service Provider to:

  • Retrieve the PAN.
  • Verify the state of the Payment Token to PAN mapping in the Token Vault for the active Payment Token, and other controls that may be defined for that Payment Token.
  • Validate the Token Cryptogram and validate the Token Domain Restriction Controls for that Payment Token (alternatively the Card Issuer may validate the cryptogram if it has the necessary keys).
  • Retrieve the Token Requestor ID if it was not provided in the authorisation message.

5.  The Payment Network will send the authorisation request to the Card Issuer, with the following changes to the authorisation request message:

  • Replace Payment Token with PAN.
  • Replace Token Expiry Date with PAN Expiry Date.
  • Add an indicator that conveys to the Card Issuer that an on-behalf-of validation has been completed by the Token Service Provider of that Payment Token.

6.  The following Payment Token-related fields are passed to the Card Issuer in the authorisation request:

  • Payment Token
  • Token Expiry Date (Optional)
  • Token Assurance Data (Optional)
  • Token Assurance Level
  • Token Requestor ID
  • POS Entry Mode Code
  • The Card Issuer completes the account-level validation and the authorisation checks, and sends an authorisation response to the Payment Network.

7.  The Payment Network will replace the PAN with the Payment Token based on the mapping, and will pass the following fields to the Acquirer as part of the authorisation response, in addition to other standard data elements:

  • Payment Token
  • Token Assurance Level
  • Last 4 digits of PAN
  • PAN Product ID (Optional)

8.  The Acquirer will pass the authorisation response to the Merchant.

9.  The consumer will be notified of the success or failure of the transaction.

            Contactless Card Home | About Us | Affiliate Agreement | Anti-Spam Policy | Contact Us
            Privacy Policy | Dmca Notice | Terms of Use | Link to Us