Network Tokenization
Copy page
Copy page as Markdown for LLMs
Open in ChatGPT
Ask questions about this page
Open in Claude
Ask questions about this page
Network Tokenization is a technology offered by major card schemes (e.g., Visa, Mastercard) that replaces the Primary Account Number (PAN) with a scheme-issued token also known as a Token Account Number (TAN) along with a transaction cryptogram. This token acts as a secure replacement for the actual card number during online transactions.
By integrating with Token Service Providers (TSPs) such as Visa Token Service (VTS) and Mastercard Secure Card on File (SCOF), Amazon Payment Services enables merchants to request, store, and use network tokens on behalf of their customers, improving both security and performance of e-commerce payments.
How Network Tokenization Works
The network tokenization process follows these steps:
Card Information Collection
Customer provides their card details during the initial transaction or card enrollment process.
Token Request
Amazon Payment Services requests a network token from the appropriate Token Service Provider (TSP) based on the card scheme.
Token Generation
The TSP generates a unique network token and cryptogram that replaces the sensitive PAN data.
Secure Storage
The network token is securely stored and linked to the customer's account for future transactions.
Transaction Processing
For subsequent payments, the network token and cryptogram are used instead of the original card details.
Key Features
Improved Authorization Rates
Automatically updates card details (e.g., expiry date, replacement PANs) to reduce declines and increase conversion rates.
Enhanced Security
Replaces sensitive PAN data with secure tokens, significantly reducing risk exposure and fraud rates by an average of ~26%.
Frictionless Experience
Supports richer UX with features like card art and product name, creating a seamless customer experience.
Reduced PCI Scope
Minimizes PCI-DSS compliance scope by reducing the storage and transmission of sensitive card data.
Types of Network Tokenization
Amazon Payment Services supports different types of network tokenization to meet various business needs:
Amazon Payment Services-Managed Network Tokenization
In this model, Amazon Payment Services handles the entire tokenization process on behalf of the merchant. Amazon Payment Services manages the relationship with Token Service Providers and automatically handles token lifecycle management, including updates and renewals.
Key Features:
- Automatic token provisioning and management
- Seamless integration with existing payment flows
- Built-in token lifecycle management
- No additional merchant setup required
External Network Tokenization
External network tokenization is only available for PCI certified integrations. Merchants must have valid PCI DSS certification to use this feature as it involves handling sensitive network token data directly.
Within this model Amazon Payment Services will give the merchant the privilege of sharing network token details as part of the purchase request. Amazon Payment Services will validate the token details and pass it to the processor.
Prerequisites
Before implementing external network tokenization with Amazon Payment Services, you must complete the following prerequisites:
Account Activation
Ensure that external network tokenization is activated on the account.
Token Authority Integration
Complete integration with the external token authority service provided by the card scheme.
PAN Provisioning
Provision the PANs to obtain the corresponding network tokens.
Cryptogram Generation
Generate cryptograms for the network tokens prior to sending them to Amazon Payment Services.
Webhook Setup
Set up a notification webhook to receive updates from the schemes regarding any changes to card or token statuses.
Implementation Steps
Token Acquisition
Once a new customer comes to process a payment, you will get the card number and send it to the authority to get its network token.
Token Storage
Save the card and its token securely in your system.
Cryptogram Preparation
Prepare cryptogram values for the transaction.
Payment Processing
Pass these values to Amazon Payment Services to be submitted in the payment payload.
Request Sample
{
"command": "PURCHASE",
"access_code": "your_access_code",
"merchant_identifier": "your_merchant_id",
"merchant_reference": "ORD-12345-2024",
"amount": "2000",
"currency": "AED",
"customer_email": "customer@example.com",
"card_number": "4005550000000001",
"expiry_date": "2105",
"card_security_code": "123",
"card_holder_name": "John Smith",
"language": "en",
"recurring_mode": "UNSCHEDULED",
"agreement_id": "123",
"network_token": {
"token": "4111111111111111",
"token_expiry_date": "2105",
Cryptogram is a base64-encoded string with a maximum length of ~28–40 characters. It's a one-time-use security code generated by the card network (e.g., Visa, Mastercard) when using a network token for a transaction. It should be unique for each transaction even with the same network token.
For detailed parameter specifications, refer to our Network Tokenization API Reference.
Go Live
Test your network tokenization integration using our test card numbers and make sure to visit our go-live checklist to go live with your integration.
Support
Need assistance with network tokenization implementation? Contact our technical support team at merchantsupport-ps@amazon.com.