The Mobile/Digital Wallet E-Commerce Flow
With mobile/digital wallet e-commerce flow, a Cardholder initiates payment to an e-commerce site using a mobile /
digital wallet to transfer payment and other order information.
The wallets may be operated by Card Issuers, Payment Networks, or third parties; and the digital wallet operator will likely be the Token Requestor.
In this case, the wallet operator uses Payment Tokenisation so as to no longer need to store the PAN in the wallet platform for security or other business rationales.
When a Cardholder initiates payment at an e-commerce Merchant that supports the wallet, the digital wallet will pass a Payment Token in lieu of the PAN along with additional Payment Token-related fields through the wallet API (or mobile apps) to the Merchant.
Merchants will initiate authorisations using the Payment Token and accompanying Token Expiry Date carried within the existing fields for PAN and PAN Expiry Date.
Split shipments and recurring payments may be supported using the Payment Networkís existing processes, although de-Tokenisation and Token Domain Restriction Controls will need to be performed as well.
The following steps explain the mobile digital wallet e-commerce flow of the standard Payment Token data fields in the authorisation message when a consumer initiates an e-commerce transaction using a Merchant application or digital wallet in the mobile device to make a purchase.
1. The Merchant application / digital wallet in the mobile device will interact with the payment application and pass the following key Payment Token data elements to the Merchant platform:
- Payment Token will be passed in the existing PAN field.
- Token Expiry Date will be passed in the PAN Expiry Date field.
- Token Cryptogram will be generated based on the Payment Token data elements and will be passed in the Token Cryptogram field.
- Token Requestor ID will be passed as an optional field.
- All other required data elements will be created and passed along.
2. The Merchant platform will pass the authorisation request to the Acquirer, carrying all the standard Payment Token fields; POS Entry Mode will be set to indicate e-commerce transaction.
4. The Payment Network will interface with the Token Service Provider to:
- Retrieve the PAN.
- Verify the state of the Payment Token to PAN mapping in the Token Vault for the active Payment Token, and other controls that may be defined for that Payment Token.
- Validate the Token Cryptogram and validate the Token Domain Restriction Controls for that Payment Token (alternatively the Card Issuer may validate the cryptogram if it has the necessary keys).
- Retrieve the Token Requestor ID if it was not provided in the authorisation message.
5. The Payment Network will send the authorisation request to the Card Issuer, with the following changes to the authorisation request message:
- Replace Payment Token with PAN.
- Replace Token Expiry Date with PAN Expiry Date.
- Add an indicator that conveys to the Card Issuer that an on-behalf-of validation has been completed by the Token Service Provider of that Payment Token.
- The following Token-related fields are passed to the Card Issuer in the authorisation request:
- Payment Token
- Token Expiry Date (Optional)
- Token Assurance Data (Optional)
- Token Assurance Level
- Token Requestor ID
- POS Entry Mode Code
6. The Card Issuer completes the account-level validation and the authorisation checks, and sends an authorisation response to the Payment Network.
7. The Payment Network will replace the PAN with the Payment Token based on the mapping, and will pass the following required fields to the Acquirer as part of the authorisation response, in addition to other standard data elements:
- Payment Token
- Token Assurance Level
- Last 4 digits of PAN
- PAN Product ID (Optional)
8. The Acquirer will pass the authorisation response to the Merchant.
9. The consumer will be notified of the success or failure of the transaction.