Network Tokenization

Network Tokenization is a beta feature that is open to Spreedly customers who want to improve their success rates.

Spreedly supports Network Tokenization as part of Spreedly Revenue Optimization. By converting stored credit card data to secure network tokens, merchants get the benefits of higher security, better customer experience, and increased authorization success rates. We offer network tokenization in partnership with Visa and Mastercard and a growing network of gateway partners.

Network Tokens

With the growth of credit cards in e-commerce transactions card networks such as Visa and Mastercard now offer Network Tokenization (NT) services that replace raw card numbers (FPAN) with merchant-specific tokens.

Like regular credit card numbers, these Network Tokens (also called DPAN) are a 16 digit value that can be used for completing e-commerce transactions.

Spreedly Network Tokens

Network tokens offer a wide range of benefits for the merchant and consumers:

  • Network tokens are issued in partnership with issuing banks. As a result network token transactions have a higher authorization rate when compared to payment made without network tokens.
  • Customers have a better experience as network tokens receive proactive updates from the card networks. Merchants can also choose to leverage detailed card art provided with the network token.
  • Network token payments have increased security as they are merchant-specific and each transaction is protected with a one time use cryptogram. As a result, instances of fraud decline with network token use.

Network Tokenization Use Cases

Merchants can benefit from network tokens when the following use cases apply to their business:

  • Recurring transactions that need up to date card on file information.
  • Offer robust customer experience with up to date payment methods and card art.
  • Proactive communication when a customer’s card is suspended or deactivated by the bank.

Spreedly Network Tokenization Service

In order to use network tokens for transactions, a merchant must have a token requestor that has integrated with the card network’s token service (examples include Visa Token Service or Mastercard Digital Enablement Service), be issued a merchant-specific Token Requestor ID (TRID) for each card network, and be integrated with a payment gateway that supports network token transactions.

Spreedly Network Token Requestor

Spreedly allows merchants to meet all these requirements in a single solution. As a Token Requestor Token Service Provider (TR-TSP), Spreedly has completed integrations with Visa and Mastercard allowing merchants to request network tokens using their merchant-specific TRID.

Furthermore, by pairing the network token to the FPAN in a single Spreedly PCI Token, merchants have the flexibility to take advantage of network tokens on multiple gateways while also being able to use PAN for gateways that have not yet adopted network token transactions.

Spreedly Network Tokenization Transaction Flexibility

Supported Gateways

Currently, Spreedly has integrated network token transactions for the following gateways:

Support for additional gateways is in active development. For specific gateway requests, we recommend you contact your Spreedly Account Representative so they can share it with our product team.

Enabling Network Tokenization At Gateways

The following gateways are currently enabled for network tokens at Spreedly but require additional setup at the gateway end before transacting with network tokens via Spreedly.

  • Braintree - In order to be enabled for network tokens on Braintree via Spreedly please contact the gateway and request to have “Third Party Card-On-File network tokens” enabled on the corresponding merchant accounts.
  • Stripe Payment Intents - Please contact Stripe to have your merchant account configured to use network tokens provisioned through Spreedly.

Once you have enabled network tokens on your merchant account at the gateway, you will need to update your gateway at Spreedly with a new field, enabled_network_tokens, set to true.


PUT /v1/gateways/.json HTTPS/1.1

{
  "gateway": {
    "enabled_network_tokens": true
  }
}


Supported Card Networks

Spreedly currently supports network tokenization for the following card networks:

Support for additional card networks is under evaluation. To request the support of a specific network, please notify your Spreedly Customer Contact.

Request A Token Requestor ID

In order for network tokens to be available for merchants, Spreedly must have a Token Requestor ID (TRID) for the merchant. Card networks issue TRIDs independently, so a TRID will be necessary for each network you wish to issue network tokens.

Spreedly can accept existing merchant TRIDs or can help facilitate the acquiring TRIDs from supported card networks. To acquire a new TRID, please fill out the following TRID Request Form and notify your Spreedly contact or support to verify we’ve received the information.

Please note that there can be delays in receiving TRIDs back from the networks depending on request volumes.

For additional information about TRIDs please visit the TRID section of our Network Tokenization FAQ.

Enabling Network Tokenization For Spreedly Account

Access to network tokens and network token transactions is part of the Spreedly Revenue Optimization package.

To begin taking advantage of network tokens, please first contact your Spreedly Customer Contact to discuss enabling Revenue Optimization on your Spreedly account.

Once Revenue Optimization is enabled, your Spreedly Customer Contact will assist in either collecting your existing merchant TRIDs or assisting you in acquiring TRIDs.

While we recommend using network tokens for all supported card networks, it is not a requirement. You may still use network tokenization for a single network so long as that network has issued a TRID for your business.

Your Spreedly Customer Contact will work with our development team to have the TRIDs applied to your Spreedly Account. Once enabled, your Spreedly Customer Contact will notify you when you are able to begin requesting and transacting with network tokens.

Provisioning Network Tokens

In order to take advantage of network token transactions, a network token must first be issued for the card associated with the Spreedly payment method.

For a new retained payment method

The first method allows merchants to request a network token while retaining a new payment method.

When making an API request that supports retained: true or retain_on_success: true, including provision_network_token: true will request a network token be provisioned by the card network for the PAN being retained. This is currently supported for the following API requests:

The response body for the request will include elements to indicate if a network token was provisioned, the network tokens status, and any errors that could have occurred during the network token provisioning.

Note that the success of the underlying transaction is independent of the success of the network token provisioning. Errors with the network tokenization provisioning process do not prevent the PAN from being retained and a Spreedly payment method token from being issued.

While we recommend provisioning network tokens for all cards, the element provision_network_token: true does allow merchants to set the value to false and bypass provisioning. This may be advantageous for merchants that wish to do A/B testing and want maximum control of their payment methods. Not including provision_network_token in a request has the same effect as false.

For merchants that wish to provision tokens for all new payment methods, we encourage them to leave provision_network_token: true for all retain requests. Doing so will ensure network tokens are requested for supported card networks and will not impact retaining payment methods for unsupported card networks.

Request Body

Existing API properties remain unchanged. Examples below are truncated only to illustrate new API properties for Network Tokenization.
For additional examples and information, please review the Spreedly API Reference.

Element Description
payment_method Root element
❯ provision_network_token true if this payment method should be provisioned a network token. Only applicable for payment methods to be retained.

POST /v1/payment_methods.json HTTPS/1.1

{
  "payment_method": {
    "credit_card": {
      "first_name": "Joe",
      "last_name": "Jones",
      "number": "5555555555554444",
    },
    ...
    "retained": true,
    "provision_network_token": true
  }
}


Response Body

Existing API properties remain unchanged. Examples below are truncated only to illustrate new API properties for Network Tokenization.
For additional examples and information, please review the Spreedly API Reference.

Element Description
transaction Root element
❯ network_tokenization Network tokenization information as part of this transaction, if applicable.
❯❯ provisioned true if NT successfully provisioned; false otherwise.
❯❯ token_status Status of the token, if one was provisioned. Can be one of the following:
  • inactive
  • active
  • suspended
  • deactivated
❯❯ errors If the request to provision network token is invalid or if tokenization not successful, there will be associated error messages here. Array of { key: "key", message: "message" } pairs.
❯❯❯ key Error code. Can be one of the following:
  • not_enabled_feature
  • not_enabled_for_environment
  • network_service_error
  • unsupported_card_type
❯❯❯ message Verbose information on the error code. Can be one of the following:
  • Network Tokenization service is not currently enabled at Spreedly.
  • Network Tokenization is not enabled on this environment.
  • Mastercard/Visa Network Tokenization service down.
  • Unsupported Card Type for Network Tokenization.

{
  "transaction": {
    "token": "L46gdNQunedFoor9ySRJfgz7RAk",
    "created_at": "2020-02-11T20:49:32Z",
    "updated_at": "2020-02-11T20:49:32Z",
    "succeeded": true,
    "transaction_type": "AddPaymentMethod",
    ...
    "payment_method": {
      "token": "VBVmxAmSDxmc7AjUGi7ViUf9avm",
      "created_at": "2020-02-11T20:49:32Z",
      "updated_at": "2020-02-11T20:49:32Z",
      "email": "joey@example.com",
      ...
    },
    "network_tokenization": {
      "provisioned": true,
      "token_status": "active",
      "errors": [
      ]
    }
  }
}

We recommend reading the following sections of the Network Tokenization FAQ to learn more:

  • Provisioning Network Tokens
  • Network Token Statuses
  • Testing Network Tokens

For an existing payment method

(In Development)

The second method for requesting a network token is to pass in an existing Spreedly payment method.

The development team is actively working on this feature. Guides will be updated and early NT adopters notified when this feature is available.

Transacting with Network Tokens

Once your Spreedly vault has payment methods with network tokens you will be ready to use network tokens to complete tokenized transactions.

Network token transactions leverage existing payment transaction API requests and your existing Spreedly tokens. In a similar manner to provisioning network tokens, when a merchant uses the Spreedly API to complete a payment transaction for a given Spreedly token they can include the element attempt_network_token: true to attempt using a network token for the transaction.

Currently, the following payment transaction APIs are supported:

Successful authorizations using network tokens are simply Captured or Voided in the same manner as PAN transactions. Likewise completed Captures or Purchases can be Voided or Credited.

Similar to provisioning network tokens, we encourage merchants to always set attempt_network_token: true to take advantage of network tokens whenever possible unless the gateway being transacted against requires merchants to be enabled ahead of time.

Spreedly has logic that checks multiple variables to determine if a network token will work for a transaction; if any variable does not pass, then the transaction will be made using the PAN associated with the Spreedly payment method token. This process is documented in the following section.

For merchants wishing to have more control of their payments attempt_network_token: false can be used to force the use of the PAN for the transaction. Use cases for false include A/B testing and combining network tokens with 3DS2 and/or smart routing.

Request Body

Existing API properties remain unchanged. Examples below are truncated only to illustrate new API properties for Network Tokenization.
For additional examples and information, please review the Spreedly API Reference.

Element Description
transaction Root element
❯ attempt_network_token true if this transaction should use network token; if one is available. false or skip this element if do not want to use network token for this payment method, and want to use PAN instead.

POST /v1/gateways//authorize. HTTPS/1.1

{
  "transaction": {
    "payment_method_token": "56wyNnSmuA6CWYP7w0MiYCVIbW6",
    "amount": 100,
    "currency_code": "USD",
    "attempt_network_token": true
  }
}


Response Body

Existing API properties remain unchanged. Examples below are truncated only to illustrate new API properties for Network Tokenization.
For additional examples and information, please review the Spreedly API Reference.

Element Description
transaction Root element
❯ network_tokenization Network tokenization information as part of this transaction, if applicable.
❯❯ attempted true if transaction was attempted with a network token. false if PAN was used instead.
❯❯ errors If the request to transact with network token is invalid or if the NT transaction was not successful, there will be associated error messages here. Array of { key: "key", message: "message" } pairs.
❯❯❯ key Error code. Can be one of the following:
  • not_enabled_feature
  • not_enabled_for_environment
  • unsupported_card_type
  • token_not_provisioned
  • token_not_active
  • no_gateway_support
  • cryptogram_error
❯❯❯ message Verbose information on the error code. Can be one of the following:
  • Network Tokenization service is not currently enabled at Spreedly.
  • Network Tokenization service is not enabled on this environment.
  • Unsupported Card Type for Network Tokenization.
  • No Network Token provision request made for provided Payment Method.
  • Network Token for requested Payment Method is not currently active to use in transactions.
  • Network Tokenization service not supported on requested gateway.
  • Cryptogram could not be successfully retrieved for Network Token.

{
  "transaction": {
    "on_test_gateway": true,
    "created_at": "2018-11-07T15:01:46Z",
    "updated_at": "2018-11-07T15:01:46Z",
    "succeeded": true,
    ...
    "payment_method": {
      "token": "1rpKvP8zOUhj4Y9EDrIoIYQzzD5",
      "created_at": "2017-06-26T17:04:38Z",
      "updated_at": "2018-11-07T15:01:45Z",
      ...
    },
    "network_tokenization": {
      "attempted": true,
      "errors": [
      ]
    }
  }
}

We recommend reading the following sections of the Network Tokenization FAQ to learn more:

  • Testing Network Tokens
  • Using Network Tokens and 3DS2
  • Using Network Tokens and Smart Routing

Understanding When Network Tokens Are Used

Ultimately the goal of network tokens is to have a successful transaction with higher authorization and security.

However, there are many factors that determine if a network token is appropriate to use for a transaction. Spreedly takes into consideration the following factors before attempting to use a network token for a requested transaction:

  • Is RO enabled for a merchant’s Spreedly Account?
  • Did the merchant include attempt_network_token: true the transaction API request?
  • Does the Spreedly payment method in the transaction have a Network Token with an Active Status?
  • Does the selected Gateway support network token transactions?
  • Can a cryptogram or a previous network transaction ID be used to securely use the network token?

Rather than task the merchant with evaluating these factors, Spreedly evaluates all these factors when the transaction API request is submitted.

When all scenarios evaluate to true, Spreedly will use the network token to complete the transaction.

If any factors evaluate to false, then Spreedly will instead use the PAN associated with the Spreedly payment to complete the transaction.

We recommend reading the following sections of the Network Tokenization FAQ to learn more:

  • Network Token Statuses
  • Network Tokens and Cryptograms
  • Network Tokens and Recurring Transactions

Interpreting NT Transaction Responses

As discussed in the previous section, Spreedly handles determining if a network token will work for a given transaction request.

In an effort to be transparent and empower merchants with data for internal reporting and logging purposes, authorization and purchase API transactions requesting the use of a network token include a network_tokenization data element in the API response. The network_tokenization data element explains whether or not a network token was used and information as to why.

While a detailed version of the response body and it’s various elements can be found in our API documentation, the following is a brief summary of the data available:

  • attempted - True or False statement as to if a network token was attempted for the transaction.
  • token_status - The status of the token at the time of the transaction.
  • errors - A combination of an error key and verbose description for why the network token was not used.

Along with the information provided in the network_tokenization element, the existing transaction response structure will return with the standard response. The combination of both elements in the response provides merchants with the full picture of the transaction - whether or not the transaction was successful and whether or not a network token was used for the transaction.

We recommend reading the following sections of the Network Tokenization FAQ to learn more:

  • Network Token Statuses

Example NT Transaction Scenarios

Here are some examples that illustrate different NT transaction scenerios that could occur and how to interpret them.

Existing API properties remain unchanged. Examples below are truncated only to illustrate new API properties for Network Tokenization.
For additional examples and information, please review the Spreedly API Reference.


1. Merchant does not set the NT flag in the request.

As a merchant, I do not want to use a network token for the transaction.

Request

attempt_network_token is not included in the request.

Response

Returns standard response. network_tokenization object is not included in the response.

2. Merchant requests an NT transaction which succeeds.

As a merchant, I would like to see if network token were used for the transaction.

Request

"attempt_network_token": true

Response

{
  "transaction": {
    "created_at": "2018-11-07T15:01:46Z",
    "updated_at": "2018-11-07T15:01:46Z",
    "succeeded": true,
    ...
    "network_tokenization": {
      "attempted": true,
      "errors": [
      ]
    }
  }
}


3. Merchant attempts to use NT, but NT is not available for that payment method. Transaction succeeds with PAN.

As a merchant, I could use this response cue the payment method for ‘re-tokenization’.

Request

"attempt_network_token": true

Response

{
  "transaction": {
    "created_at": "2018-11-07T15:01:46Z",
    "updated_at": "2018-11-07T15:01:46Z",
    "succeeded": true,
    ...
    "network_tokenization": {
      "attempted": false,
      "errors": [{
        "key": "token_not_provisioned",
        "message": "No Network Token provision request made for provided Payment Method."
      }]
    }
  }
}


4. Merchant attempts to use NT, but gateway does not support NT, so PAN is used.

As a merchant, I could use this response to adjust my NT gateway strategy or alert Spreedly of an issue.

Request

"attempt_network_token": true

Response

{
  "transaction": {
    "created_at": "2018-11-07T15:01:46Z",
    "updated_at": "2018-11-07T15:01:46Z",
    "succeeded": true,
    ...
    "network_tokenization": {
      "attempted": false,
      "errors": [{
        "key": "no_gateway_support",
        "message": "Network Tokenization service not supported on requested gateway."
      }]
    }
  }
}


5. Merchant attempts to use NT, but NT is deactivated because the bank account is deactivated. PAN transaction fails because bank account is closed.

As a merchant, I could use this response to trigger a ‘save’ program for the payment, that could notify the user to adjust their card details since neither the token or PAN worked.

Request

"attempt_network_token": true

Response

{
  "transaction": {
    "created_at": "2018-11-07T15:01:46Z",
    "updated_at": "2018-11-07T15:01:46Z",
    "succeeded": false,
    ...
    "network_tokenization": {
      "attempted": false,
      "errors": [{
        "key": "token_not_active",
        "message": "Network Token for requested Payment Method is not currently active to use in transactions."
      }]
    }
  }
}


6. Merchant attempts to use NT, but run into an NT error fetching the cryptogram, so PAN is used.

As a merchant, I could use this response to understand if there were unexpected errors with using network tokens.

Request

"attempt_network_token": true

Response

{
  "transaction": {
      "created_at": "2018-11-07T15:01:46Z",
      "updated_at": "2018-11-07T15:01:46Z",
      "succeeded": true,
      ...
      "network_tokenization": {
        "attempted": false,
        "errors": [{
          "key": "cryptogram_error",
          "message": "Cryptogram could not be successfully retrieved for Network Token."
        }]
      }
    }
}