Skip to main content

Network Tokenization

Network Tokenization is a technology offered by major card schemes (e.g., Visa, Mastercard) that replaces the Primary Account Number (PAN) with a scheme-issued token also known as a Token Account Number (TAN) along with a transaction cryptogram. This token acts as a secure replacement for the actual card number during online transactions.

By integrating with Token Service Providers (TSPs) such as Visa Token Service (VTS) and Mastercard Secure Card on File (SCOF), Amazon Payment Services enables merchants to request, store, and use network tokens on behalf of their customers, improving both security and performance of e-commerce payments.

How Network Tokenization Works

The network tokenization process follows these steps:

1

Card Information Collection

Customer provides their card details during the initial transaction or card enrollment process.

2

Token Request

Amazon Payment Services requests a network token from the appropriate Token Service Provider (TSP) based on the card scheme.

3

Token Generation

The TSP generates a unique network token and cryptogram that replaces the sensitive PAN data.

4

Secure Storage

The network token is securely stored and linked to the customer's account for future transactions.

5

Transaction Processing

For subsequent payments, the network token and cryptogram are used instead of the original card details.

Key Features

Improved Authorization Rates

Automatically updates card details (e.g., expiry date, replacement PANs) to reduce declines and increase conversion rates.

Enhanced Security

Replaces sensitive PAN data with secure tokens, significantly reducing risk exposure and fraud rates by an average of ~26%.

Frictionless Experience

Supports richer UX with features like card art and product name, creating a seamless customer experience.

Reduced PCI Scope

Minimizes PCI-DSS compliance scope by reducing the storage and transmission of sensitive card data.

Types of Network Tokenization

Amazon Payment Services supports different types of network tokenization to meet various business needs:

Amazon Payment Services-Managed Network Tokenization

In this model, Amazon Payment Services handles the entire tokenization process on behalf of the merchant. Amazon Payment Services manages the relationship with Token Service Providers and automatically handles token lifecycle management, including updates and renewals.

Key Features:

  • Automatic token provisioning and management
  • Seamless integration with existing payment flows
  • Built-in token lifecycle management
  • No additional merchant setup required

External Network Tokenization

External network tokenization is only available for PCI certified integrations. Merchants must have valid PCI DSS certification to use this feature as it involves handling sensitive network token data directly.

Within this model Amazon Payment Services will give the merchant the privilege of sharing network token details as part of the purchase request. Amazon Payment Services will validate the token details and pass it to the processor.

Prerequisites

Before implementing external network tokenization with Amazon Payment Services, you must complete the following prerequisites:

1

Account Activation

Ensure that external network tokenization is activated on the account.

2

Token Authority Integration

Complete integration with the external token authority service provided by the card scheme.

3

PAN Provisioning

Provision the PANs to obtain the corresponding network tokens.

4

Cryptogram Generation

Generate cryptograms for the network tokens prior to sending them to Amazon Payment Services.

5

Webhook Setup

Set up a notification webhook to receive updates from the schemes regarding any changes to card or token statuses.

Implementation Steps

1

Token Acquisition

Once a new customer comes to process a payment, you will get the card number and send it to the authority to get its network token.

2

Token Storage

Save the card and its token securely in your system.

3

Cryptogram Preparation

Prepare cryptogram values for the transaction.

4

Payment Processing

Pass these values to Amazon Payment Services to be submitted in the payment payload.

Request Sample

{
"command": "PURCHASE",
"access_code": "your_access_code",
"merchant_identifier": "your_merchant_id",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"customer_email": "customer@example.com",
"card_number": "4005550000000001",
"expiry_date": "2105",
"card_security_code": "123",
"card_holder_name": "John Smith",
"language": "en",
"recurring_mode": "UNSCHEDULED",
"agreement_id": "123",
"network_token": {
"token": "4111111111111111",
"token_expiry_date": "2105",

Cryptogram is a base64-encoded string with a maximum length of ~28–40 characters. It's a one-time-use security code generated by the card network (e.g., Visa, Mastercard) when using a network token for a transaction. It should be unique for each transaction even with the same network token.

For detailed parameter specifications, refer to our Network Tokenization API Reference.

Go Live

Test your network tokenization integration using our test card numbers and make sure to visit our go-live checklist to go live with your integration.

Support

Need assistance with network tokenization implementation? Contact our technical support team at merchantsupport-ps@amazon.com.

Was this page helpful?

Thanks for your feedback!