Create or Update Token (with system-generated token)

Request for the gateway to store a payment instrument against a token, where the system generates the token id.

This may include:

  • credit or debit card details
  • gift card details
  • ACH bank account details
  • PayPal billing agreement details
Note: The behaviour of this call depends on two aspects of your token repository configuration: Token Generation Strategy (either Merchant-Supplied, Random or Preserve 6.4) and Token Management strategy (Unique Card or Unique Token). For more information, see How to Configure Tokenization. Your Token Generation Strategy and Token Management Strategy are configured on your merchant profile (by your payment service provider).

If you are configured to use the Token Generation Strategy Random or Preserve 6.4', you can use this call to create the token. If you use the Token Generation Strategy Merchant-Supplied, do not use this call but use the Tokenize call instead.

Typically, this call will return a new token. However, if the repository is configured for the Token Management Strategy Unique Account Identifier and the supplied account identifier (e.g. card number or PayPal Billing Agreement ID) has previously been stored against an existing token, the gateway will return that token.

If you provide a shipping address or shipping contact details, these will be ignored.

POST https://anzegate.gateway.mastercard.com/api/nvp/version/65

Authentication

This operation requires authentication via one of the following methods:


  • Certificate authentication.
  • To authenticate to the API two additional NVP parameters must be supplied in the request. Provide 'merchant.<your gateway merchant ID>' in the apiUsername field and your API password in the apiPassword field.

Request

Fields

apiOperation String = TOKENIZE FIXED

Any sequence of zero or more unicode characters.

billing OPTIONAL

Details of the payer's billing address.

billing.address OPTIONAL

The payer's billing address.

This data may be used to qualify for better interchange rates on corporate purchase card transactions.

billing.address.city String OPTIONAL

The city portion of the address.

Data can consist of any characters

Min length: 1 Max length: 100
billing.address.company String OPTIONAL

The name of the company associated with this address.

Data can consist of any characters

Min length: 1 Max length: 100
billing.address.country Upper case alphabetic text OPTIONAL

The 3 letter ISO standard alpha country code of the address.

Data must consist of the characters A-Z

Min length: 3 Max length: 3
billing.address.postcodeZip Alphanumeric + additional characters OPTIONAL

The post code or zip code of the address.

Data may consist of the characters 0-9, a-z, A-Z, ' ', '-'

Min length: 1 Max length: 10
billing.address.stateProvince String OPTIONAL

The state or province of the address.

Data can consist of any characters

Min length: 1 Max length: 20
billing.address.stateProvinceCode String OPTIONAL

The three character ISO 3166-2 country subdivision code for the state or province of the address.

Providing this field might improve your payer experience for 3-D Secure payer authentication.

Data can consist of any characters

Min length: 1 Max length: 3
billing.address.street String OPTIONAL

The first line of the address.

For example, this may be the street name and number, or the Post Office Box details.

Data can consist of any characters

Min length: 1 Max length: 100
billing.address.street2 String OPTIONAL

The second line of the address (if provided).

Data can consist of any characters

Min length: 1 Max length: 100
correlationId String OPTIONAL

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
customer OPTIONAL

Information about the customer, including their contact details.

customer.email Email OPTIONAL

The email address of the customer.

The field format restriction ensures that the email address is longer than 3 characters and adheres to a generous subset of valid RFC 2822 email addresses.

Ensures that the email address is longer than 3 characters and adheres to a generous subset of valid RFC 2822 email addresses

customer.firstName String OPTIONAL

The customer's first name.

Data can consist of any characters

Min length: 1 Max length: 50
customer.lastName String OPTIONAL

The customer's last or surname.

Data can consist of any characters

Min length: 1 Max length: 50
customer.mobilePhone Telephone Number OPTIONAL

The customer's mobile phone or cell phone number in ITU-T E123 format, for example +1 607 1234 5678

The number consists of:

  • '+'
  • country code (1, 2 or 3 digits)
  • 'space'
  • national number ( which may embed single spaces characters for readability).

Data consists of '+', country code (1, 2 or 3 digits), 'space', and national number (which may embed single space characters for readability)

Mandatory country code: true Max total digits: 15
customer.phone Telephone Number OPTIONAL

The customer's phone number in ITU-T E123 format, for example +1 607 1234 456

The number consists of:

  • '+'
  • country code (1, 2 or 3 digits)
  • 'space'
  • national number ( which may embed single spaces characters for readability).

Data consists of '+', country code (1, 2 or 3 digits), 'space', and national number (which may embed single space characters for readability)

Mandatory country code: true Max total digits: 15
customer.taxRegistrationId String OPTIONAL

The tax registration identifier of the customer.

Data can consist of any characters

Min length: 1 Max length: 30
device OPTIONAL

Information about the device used by the payer for this transaction.

device.ipAddress String OPTIONAL

The IP address of the device used by the payer, in nnn.nnn.nnn.nnn format.

Data can consist of any characters

Min length: 7 Max length: 15
session.id ASCII Text OPTIONAL

Identifier of the payment session containing values for any of the request fields to be used in this operation.

Values provided in the request will override values contained in the session.

Data consists of ASCII characters

Min length: 31 Max length: 35
session.version ASCII Text OPTIONAL

Use this field to implement optimistic locking of the session content.

Do this if you make business decisions based on data from the session and wish to ensure that the same data is being used for the request operation.

To use optimistic locking, record session.version when you make your decisions, and then pass that value in session.version when you submit your request operation to the gateway.

If session.version provided by you does not match that stored against the session, the gateway will reject the operation with error.cause=INVALID_REQUEST.

See Making Business Decisions Based on Session Content.

Data consists of ASCII characters

Min length: 10 Max length: 10
shipping OPTIONAL

Information on the shipping address including the contact details of the addressee.

These details will only be stored against the token if the request is for storing PayPal billing agreement details.

shipping.address OPTIONAL

The address to which this order will be shipped.

shipping.address.city String OPTIONAL

The city portion of the address.

Data can consist of any characters

Min length: 1 Max length: 100
shipping.address.country Upper case alphabetic text OPTIONAL

The 3 letter ISO standard alpha country code of the address.

Data must consist of the characters A-Z

Min length: 3 Max length: 3
shipping.address.postcodeZip Alphanumeric + additional characters OPTIONAL

The post code or zip code of the address.

Data may consist of the characters 0-9, a-z, A-Z, ' ', '-'

Min length: 1 Max length: 10
shipping.address.stateProvince String OPTIONAL

The state or province of the address.

Data can consist of any characters

Min length: 1 Max length: 20
shipping.address.street String OPTIONAL

The first line of the address.

For example, this may be the street name and number, or the Post Office Box details.

Data can consist of any characters

Min length: 1 Max length: 100
shipping.address.street2 String OPTIONAL

The second line of the address (if provided).

Data can consist of any characters

Min length: 1 Max length: 100
shipping.contact OPTIONAL

Details of the contact person at the address the goods will be shipped to.

shipping.contact.firstName String OPTIONAL

The first name of the person to whom the order is being shipped.

Data can consist of any characters

Min length: 1 Max length: 50
shipping.contact.lastName String OPTIONAL

The last name or surname of the person to whom the order is being shipped.

Data can consist of any characters

Min length: 1 Max length: 50
shipping.origin.postcodeZip Alphanumeric + additional characters OPTIONAL

The post code or zip code of the address the order is shipped from.

Data may consist of the characters 0-9, a-z, A-Z, ' ', '-'

Min length: 1 Max length: 10
transaction.currency Upper case alphabetic text OPTIONAL

The currency which should be used for acquirer card verification.

Not required for basic verification.

Data must consist of the characters A-Z

Min length: 3 Max length: 3
verificationStrategy Enumeration OPTIONAL

The strategy used to verify the payment instrument details before they are stored.

You only need to specify the verification strategy if you want to override the default value configured for your merchant profile. When the verification strategy is

  • BASIC you must also provide the card expiry date in the sourceOfFunds.provided.card.expiry parameter group.
  • ACQUIRER you must also provide the card expiry date in the sourceOfFunds.provided.card.expiry parameter group and the currency in the transaction.currency field.
  • ACCOUNT_UPDATER you must also provide a currency in the transaction.currency field and the sourceOfFunds parameter group is optional.
To use this operation to request an account update
  • you need to be enabled for Account Updater by your payment service provider.
  • you can subsequently inquire about any updates the gateway has made to the token based on the Account Updater response using the RETRIEVE_TOKEN or SEARCH_TOKENS operations.
As a result of an account update the payment details stored against the token may be updated or the token may be marked as invalid. Any updates made to the payment details respect the token management strategy configured for your token repository. For example, if the token repository is configured with a token generation strategy of Preserve 6.4 and an account update indicates that the card number has changed, the token is marked as invalid. You can no longer use an invalid token and must ask your payer for new payment details.

Used to nominate which type of Verification to use when payment instrument details are stored in the token repository. This setting overrides the default settings in Merchant Manager.

Value must be a member of the following list. The values are case sensitive.

ACQUIRER

The gateway performs a Web Services API Verify request. Depending on the payment type, you may need to provide additional details to enable the submission of a Verify request.

BASIC

The gateway verifies the syntax and supported ranges of the payment instrument details provided, .e.g for a card it validates the card number format and checks if the card number falls within a valid BIN range.

NONE

The gateway does not perform any validation or verification of the payment instrument details provided.

Response

Fields

customer CONDITIONAL

Information about the customer, including their contact details.

customer.email Email CONDITIONAL

The email address of the customer.

The field format restriction ensures that the email address is longer than 3 characters and adheres to a generous subset of valid RFC 2822 email addresses.

Ensures that the email address is longer than 3 characters and adheres to a generous subset of valid RFC 2822 email addresses

customer.firstName String CONDITIONAL

The customer's first name.

Data can consist of any characters

Min length: 1 Max length: 50
customer.lastName String CONDITIONAL

The customer's last or surname.

Data can consist of any characters

Min length: 1 Max length: 50
customer.mobilePhone String CONDITIONAL

The customer's mobile phone or cell phone number in ITU-T E123 format, for example +1 607 1234 5678

The number consists of:

  • '+'
  • country code (1, 2 or 3 digits)
  • 'space'
  • national number ( which may embed single spaces characters for readability).

Data can consist of any characters

Min length: 1 Max length: 20
customer.phone String CONDITIONAL

The customer's phone number in ITU-T E123 format, for example +1 607 1234 456

The number consists of:

  • '+'
  • country code (1, 2 or 3 digits)
  • 'space'
  • national number ( which may embed single spaces characters for readability).

Data can consist of any characters

Min length: 1 Max length: 20
customer.taxRegistrationId String CONDITIONAL

The tax registration identifier of the customer.

Data can consist of any characters

Min length: 1 Max length: 30
device CONDITIONAL

Information about the device used by the payer for this transaction.

device.ipAddress String CONDITIONAL

The IP address of the device used by the payer, in nnn.nnn.nnn.nnn format.

Data can consist of any characters

Min length: 7 Max length: 15
replacementToken Alphanumeric CONDITIONAL

If a replacement token for this token is provided, you must

  • start using the replacement token instead of this token and
  • delete this token

If a replacement token is provided, this token is not marked as invalid (status=INVALID) and has been updated to allow you to keep using it until you have started using the replacement token.

However, you will no longer be able to update this token. For more details see Gateway Tokenization

Data may consist of the characters 0-9, a-z, A-Z

Min length: 1 Max length: 40
repositoryId ASCII Text CONDITIONAL

Unique identifier of the token repository.

Token repositories can be shared across merchants; however, a single merchant can be associated with only one token repository at a given time. Every token repository has a corresponding test token repository, which only the merchants with the corresponding test profiles can access. For example, if the repository ID is ABC, the test repository ID will be TestABC. Hence, the system displays an error if you specify a repository ID that starts with 'Test'

Data consists of ASCII characters

Min length: 1 Max length: 16
response.gatewayCode Enumeration CONDITIONAL

Summary of the success or otherwise of the operation.

Value must be a member of the following list. The values are case sensitive.

BASIC_VERIFICATION_SUCCESSFUL

The card number format was successfully verified and the card exists in a known range.

EXTERNAL_VERIFICATION_BLOCKED

The external verification was blocked due to risk rules.

EXTERNAL_VERIFICATION_DECLINED

The card details were sent for verification, but were was declined.

EXTERNAL_VERIFICATION_DECLINED_AUTHENTICATION_REQUIRED

The card details were sent for verification, but were declined as authentication required.

EXTERNAL_VERIFICATION_DECLINED_EXPIRED_CARD

The card details were sent for verification, but were declined as the card has expired.

EXTERNAL_VERIFICATION_DECLINED_INVALID_CSC

The card details were sent for verification, but were declined as the Card Security Code (CSC) was invalid.

EXTERNAL_VERIFICATION_PROCESSING_ERROR

There was an error processing the verification.

EXTERNAL_VERIFICATION_SUCCESSFUL

The card details were successfully verified.

NO_VERIFICATION_PERFORMED

The card details were not verified.

SCHEME_TOKENIZATION_DECLINED

The card details that your payer has made available to you via their card issuer (for push provisioning) could not be tokenized. The request was declined by the token service provider or issuer.

SCHEME_TOKENIZATION_ERROR

The card details that your payer has made available to you via their card issuer (for push provisioning) could not be tokenized. The token service provider returned an error response.

SCHEME_TOKENIZATION_SUCCESSFUL

The card details your payer has made available to you via their card issuer (for push provisioning) were successfully tokenized by the token service provider.

SCHEME_TOKENIZATION_SUCCESSFUL_ADDITIONAL_AUTHENTICATION_REQUIRED

The card details your payer has made available to you via their card issuer (for push provisioning) were successfully tokenized by the token service provider, but the issuer needs to perform additional authentication of the cardholder.

result Enumeration ALWAYS PROVIDED

A system-generated high level overall result of the Save operation.

Value must be a member of the following list. The values are case sensitive.

FAILURE

The operation was declined or rejected by the gateway, acquirer or issuer

PENDING

The operation is currently in progress or pending processing

SUCCESS

The operation was successfully processed

UNKNOWN

The result of the operation is unknown

shipping CONDITIONAL

Information on the shipping address including the contact details of the addressee.

These details will only be stored against the token if the request is for storing PayPal billing agreement details.

shipping.address CONDITIONAL

The address to which this order will be shipped.

shipping.address.city String CONDITIONAL

The city portion of the address.

Data can consist of any characters

Min length: 1 Max length: 100
shipping.address.country Upper case alphabetic text CONDITIONAL

The 3 letter ISO standard alpha country code of the address.

Data must consist of the characters A-Z

Min length: 3 Max length: 3
shipping.address.postcodeZip Alphanumeric + additional characters CONDITIONAL

The post code or zip code of the address.

Data may consist of the characters 0-9, a-z, A-Z, ' ', '-'

Min length: 1 Max length: 10
shipping.address.stateProvince String CONDITIONAL

The state or province of the address.

Data can consist of any characters

Min length: 1 Max length: 20
shipping.address.street String CONDITIONAL

The first line of the address.

For example, this may be the street name and number, or the Post Office Box details.

Data can consist of any characters

Min length: 1 Max length: 100
shipping.address.street2 String CONDITIONAL

The second line of the address (if provided).

Data can consist of any characters

Min length: 1 Max length: 100
shipping.contact CONDITIONAL

Details of the contact person at the address the goods will be shipped to.

shipping.contact.firstName String CONDITIONAL

The first name of the person to whom the order is being shipped.

Data can consist of any characters

Min length: 1 Max length: 50
shipping.contact.lastName String CONDITIONAL

The last name or surname of the person to whom the order is being shipped.

Data can consist of any characters

Min length: 1 Max length: 50
shipping.origin.postcodeZip Alphanumeric + additional characters CONDITIONAL

The post code or zip code of the address the order is shipped from.

Data may consist of the characters 0-9, a-z, A-Z, ' ', '-'

Min length: 1 Max length: 10
status Enumeration ALWAYS PROVIDED

An indicator of whether or not you can use this token in transaction requests.

Transaction requests using an invalid token are rejected by the gateway.

To change the token status, update the payment details stored against the token. Note that there are limitations on the update functionality depending on how your payment service provider has configured your token repository.

Card Details

A token that contains card details can become invalid in the following cases:

  • Scheme Token Provider: If a response or notification from the scheme token provider indicates that the card number for this scheme token has changed and the scheme token is no longer active.
  • Recurring Payment Advice: If the acquirer response for a recurring payment indicates that you must not attempt another recurring payment with the card number stored against this token.
  • Account Updater: If you are configured for Account Updater and an Account Updater response indicates that the card details are no longer valid.


PayPal Details

A token that contains PayPal payment details becomes invalid when the payer withdraws their consent to the Billing Agreement.

Value must be a member of the following list. The values are case sensitive.

INVALID

The payment details stored against the token have been identified as invalid. The gateway will reject operation payment requests using this token.

VALID

The payment details stored against the token are considered to be valid. The gateway will attempt to process operation requests using this token.

usage CONDITIONAL

Information about the usage of the token.

usage.lastUpdated DateTime CONDITIONAL

The timestamp indicating the time the token was last updated.

An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"

usage.lastUpdatedBy Alphanumeric + additional characters CONDITIONAL

The identifier of the merchant who last updated the token.

Data may consist of the characters 0-9, a-z, A-Z, '-', '_'

Min length: 1 Max length: 40
usage.lastUsed DateTime CONDITIONAL

The timestamp indicating the time the token was last used or saved.

An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"

verificationStrategy Enumeration CONDITIONAL

The strategy used to verify the payment instrument details before they are stored.

You only need to specify the verification strategy if you want to override the default value configured for your merchant profile. When the verification strategy is

  • BASIC you must also provide the card expiry date in the sourceOfFunds.provided.card.expiry parameter group.
  • ACQUIRER you must also provide the card expiry date in the sourceOfFunds.provided.card.expiry parameter group and the currency in the transaction.currency field.
  • ACCOUNT_UPDATER you must also provide a currency in the transaction.currency field and the sourceOfFunds parameter group is optional.
To use this operation to request an account update
  • you need to be enabled for Account Updater by your payment service provider.
  • you can subsequently inquire about any updates the gateway has made to the token based on the Account Updater response using the RETRIEVE_TOKEN or SEARCH_TOKENS operations.
As a result of an account update the payment details stored against the token may be updated or the token may be marked as invalid. Any updates made to the payment details respect the token management strategy configured for your token repository. For example, if the token repository is configured with a token generation strategy of Preserve 6.4 and an account update indicates that the card number has changed, the token is marked as invalid. You can no longer use an invalid token and must ask your payer for new payment details.

Value must be a member of the following list. The values are case sensitive.

ACQUIRER

The gateway performs a Web Services API Verify request. Depending on the payment type, you may need to provide additional details to enable the submission of a Verify request.

BASIC

The gateway verifies the syntax and supported ranges of the payment instrument details provided, .e.g for a card it validates the card number format and checks if the card number falls within a valid BIN range.

NONE

The gateway does not perform any validation or verification of the payment instrument details provided.

Errors

error

Information on possible error conditions that may occur while processing an operation using the API.

error.cause Enumeration

Broadly categorizes the cause of the error.

For example, errors may occur due to invalid requests or internal system failures.

Value must be a member of the following list. The values are case sensitive.

INVALID_REQUEST

The request was rejected because it did not conform to the API protocol.

REQUEST_REJECTED

The request was rejected due to security reasons such as firewall rules, expired certificate, etc.

SERVER_BUSY

The server did not have enough resources to process the request at the moment.

SERVER_FAILED

There was an internal system failure.

error.explanation String

Textual description of the error based on the cause.

This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.

Data can consist of any characters

Min length: 1 Max length: 1000
error.field String

Indicates the name of the field that failed validation.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Data can consist of any characters

Min length: 1 Max length: 100
error.supportCode String

Indicates the code that helps the support team to quickly identify the exact cause of the error.

This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.

Data can consist of any characters

Min length: 1 Max length: 100
error.validationType Enumeration

Indicates the type of field validation error.

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.

Value must be a member of the following list. The values are case sensitive.

INVALID

The request contained a field with a value that did not pass validation.

MISSING

The request was missing a mandatory field.

UNSUPPORTED

The request contained a field that is unsupported.

result Enumeration

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

ERROR

The operation resulted in an error and hence cannot be processed.