The card tokenization process with Pismo involves the following participants:

• Card network - The entity (Visa, Mastercard, and so on) responsible for generating the token using card sensitive information such as the Primary Account Number (PAN). The network manages the tokenization and authorization process and is involved throughout.
• Issuer token service providers - I-TSPs are responsible for token management. A TSP provides the APIs and resources necessary for provisioning and lifecycle flow according to each network's rules and certification. Pismo is an I-TSP.
• Token requestor - All entities that request payment tokens in return for a payment card. These entities include wallets, issuer apps, and e-commerce sites such as Netflix.
• Issuers - Also known as Payment Service Providers (PSP). Makes decisions on each tokenization request based on several parameters to ensure that tokenized cards are issued to the rightful owners. As with physical cards, the Issuer must also handle the life cycle management of existing tokens. To be able to issue these cards and participate in these processes, the issuer must connect to a I-TSP such as Pismo.

As an I-TSP, Pismo provides network-agnostic API endpoints that can handle tokenization requests and responses for different networks. However, we also account for network-specific differences. Our solution provides different payloads for each network in the events stream, including network-specific metadata that provides additional context about the token and its status, such as the network identifier, tokenization scheme, and token expiration date. This approach helps simplify the development process for issuers and processors and improves the user experience for customers using digital wallets for payments.

Issuer involvement in tokenization process

As an issuer, you can do three things as part of the tokenization process.

📘

Post-setup

Note that this is after setup with Pismo and the card networks is completed and the tokenization process is in place. See Getting started in this article for more information on getting this process set up.

1. Assign the network card profile - The network card profile determines such things as how the card is visually displayed in a mobile payment app. As the issuer, you need to configure network profiles with the card network.
2. Code your own tokenization anti-fraud webhook - Pismo calls this webhook during the tokenization process. This webhook allows you to perform your own validations, in addition to Pismo's, and set the authentication method, if any.
3. Monitor the events generated in the tokenization process - Once you have set up data and reporting, you can monitor the events that Pismo and the network generate during tokenization. See Card tokenization flow and events for more information. The sequence diagrams in this article show where events are emitted in tokenization flows.

Token provisioning

There are two ways to provision a token :

• Manual provisioning - Cardholder enters card data directly into a wallet app to initiate provisioning .
• Push provisioning - Cardholder initiates provisioning using an issuer app.

Manual provisioning flow

Push provisioning flow

Manual provisioning authentication

There are 4 ways, during the tokenization process with Pismo, that a cardholder can be asked or challenged to verify their identity.

• Application to application - Pismo redirects cardholder to the issuer's app for authentication.
• SMS one-time password (OTP) - Pismo sends authentication request via text message.
• E-mail OTP - Pismo sends authentication request via email.
• Call center - Pismo redirects cardholder to call center for authorization.

Application to application (App2App)

Key points:

• To offer this method, the Issuer app’s URL has to be registered with Pismo
• Pismo is not involved on the wallet's request to the issuers app, or the app's cardholder authentication
• To activate the token, use the Perform token operation endpoint, operation_type = CARDHOLDER_SETUP_APP_TO_APPfor Mastercard and CALL_CENTER_ACTIVATION for Visa.
• If other manual authentication method is registered, all the options are displayed for the cardholder to select

Visa

Mastercard

SMS OTP

Key points

• To offer this method, the cardholder's phone number has to be registered with Pismo
• If you want to send the SMS to your cardholder, the one-time password (OTP) value is delivered to you in an event
• The issuer defines the SMS template (140 chars max)
• If other manual authentication method is registered, all options are displayed for the cardholder to select

Note: Pismo’s SMS sending service is not available in all regions, please consult your representative to confirm

Visa

Mastercard

Email OTP

Key points:

• To offer this method, the cardholder's email has to be registered with Pismo
• The issuer is responsible for delivering the one-time password (OTP) code in an email
• If other manual authentication method is registered, all the options are displayed for the cardholder to select

Visa

Mastercard

Call center

Key points

• The issuer is responsible for the call center service
• After call center verification, activate the token using the Perform token operation endpoint, operation_type = CALL_CENTER_ACTIVATION
• If other manual authentication method is registered, all the options will be displayed for the cardholder to select

Visa

Mastercard

Push provisioning detailed flow

Also known as in-app provisioning. In this scenario, the cardholder initiates provisioning using an issuer app. The issuer has to install the wallet's SDK on their app for this integration, and use Pismo’s endpoints to generate an authentication value that contains the card information encrypted with keys/certificates that are known to the wallet and network. The issuer passes this value to the wallet SDK.

Visa Google Pay push provisioning

Mastercard Google Pay push provisioning

Visa Apple Pay push provisioning

Mastercard Apple Pay push provisioning

Tokenizing Pismo card using wallet SDK

You can use the following Pismo endpoints to get the encrypted card data you need for tokenization using the Google Pay, Apple Pay, and Samsung Pay SDKs.

• Create encrypted data for Google Pay
• Create encrypted card data for Apple Pay
• Create encrypted card data for Samsung Pay

Token lifecyle

Pismo uses the following card token enums:

• INACTIVE - Initial token status during provisioning. Can be activated or deactivated.
• FAILED - Token was not provisioned due to error. Cannot be changed
• ACTIVE - Activated token that can be used for transactions. Can be suspended or deactivated.
• SUSPENDED - Token is temporarily disabled and cannot be used for transactions. Can be activated or deactivated
• DEACTIVATED - Token is deleted. Cannot be changed.

Pismo offers endpoints for getting token information and performing token operations.. Those endpoints are connected directly to the networks and to wallets so they can update their own information when applicable.

• Get token information - Get token information given a card ID and token ID
• Get card tokens - Get information about a card's tokens
• Perform token operation - Perform token operations such as call center activation, delete token, suspend token and so on.

Lifecycle example operation

Primary account number (PAN) update

The PAN update feature transfers a card's existing provisioned tokens to a new card when the card is reissued

Pismo provides the following endpoints for this purpose. Note that token transfer is not automatic, you need to call one of these endpoints:

• Card reissue endpoint (Reissue card) - set update_tokens parameter to true.
• PAN update endpoint (Transfer card tokens to other card)

A PAN updated event is generated when the transfer with the network has concluded.

During update, Pismo sends the new token PAN information to the network, which can then update its own data and, if necessary, pass it to the wallets. If an error occurs during notification, Pismo considers the transfer as not being made and a new issuer update request is necessary.

Work with your network to make sure this functionality is available.

Getting started

Follow these general steps to tokenize your cards for third-party wallets such as Google or Apple Pay.

Step 1 - Business planning

Research the marketplace and speak to your Pismo and network representatives about what you would like to do including what wallets you want to offer to your cardholders.

Define your implementation process and consider the following:

• Authentication methods you want to implement.
• Whether you want to code your own anti-fraud webhook
• Familiarize yourself with Pismo's tokenization endpoints and determine how and when you are going to call them

Step 2 - Register with your wallet provider and card network

Register with your wallet provider as a participating issuer. During the registration process, you will need to provide information about your company, your card products, and your technical capabilities.

After registration, you need to obtain certifications from the card networks and your wallet provider to validate your integration and compliance with their respective standards. This can be part of Card network certification.

Step 3 - Implement the Pismo events stream

During tokenization, you'll need to monitor the events stream for tokenization flows. This involves setting up your data reporting and monitoring to receive notifications about tokenization events such as token creation, suspension, and deletion.

Step 4 - Configure Pismo tokenization

Pismo tokenization parameters are configured on a program basis. For most implementations it is necessary to exchange keys or certificates with the network. Talk to your Pismo representative and get the necessary information to precede with configuration and security.

Step 5 - Test and launch

After completing the integration, perform testing to ensure that your tokenized cards work correctly with your digital wallet provider.