Tokenisation is a security technology which replaces the sensitive 16-digit permanent
account number (PAN) that is typically embossed on a physical card with a unique payment
token (a digital PAN or DPAN) that can be used in payments and prevents the need to
expose or store actual card details. The DPAN is used to make purchases in the same way as
a normal Financial PAN (FPAN).
Tokenisation enables cardholders to access mobile wallet functionality — provided by
companies such as Apple and Android — which allows payments to be made in store from a
smart device such as a smartphone or tokenised device. Tokenisation also helps merchants
to improve the security of online payment transactions by replacing the sensitive PAN card
details with a token and storing this instead. The token can then be used for repeat or
Both Mastercard and Visa offer a tokenisation service to card issuers. Mastercard offer the
Digital Enablement Service (MDES) and Visa offer the Visa Token Service (VTS); GPS refer to
the Visa service as the Visa Digital Enablement Program (VDEP). GPS supports both of these
GPS do not share details of the FPAN or DPAN with Program Managers (GPS clients). When a card is created on the GPS system, we provide a unique public token that is linked to the card, and which can be used for queries and services on that card. The GPS public token is for internal use only between GPS and the Program Manager; it should not be confused with the payment token created during the tokenisation process.
Tokenisation requires the following participants:
The cardholder enrols with a mobile wallet provider or registers at an online merchant website.
The token requestor initiates the request to convert your cardholder’s Permanent Account
Number (PAN) into a digital token. Token requestors can be mobile wallets (such as
ApplePay) or online merchants (such as Netflix). Mastercard refer to the Token Requestor as
the “Wallet Provider”.
The Token Service Provider is the party that generates the token and securely maps the PAN
to a token. This is the Visa (VDEP) or Mastercard (MDES) systems that run the token service.
The issuer host is GPS, who receives the tokenisation request from Visa or Mastercard and
decides on whether to approve or decline. During the implementation phase of the project,
the issuer/Program Manager and GPS work together to set up and create the token service.
- The cardholder enrols their card with a token requestor (either an online merchant or a mobile Wallet provider).
- The token requestor requests a new token from the token service provider (Visa/Mastercard).
- The token service provider creates the payment token (DPAN), containing EMV and other card data, to replace the cardholder’s FPAN. The token service provider sends a Token Activation Request (TAR) to the issuer host (GPS).
- GPS decides if token activation can continue, based on the GPS Configuration Options set up for your programme. (See Token Authorisation Options below.)
- With GPS approval the token service provider (Visa/Mastercard) activates the new payment token and sends the newly created token to the token requestor.
- For an Online Merchant payment token, the token is stored for use on their website. For a Mobile Wallet payment token, it is installed on the phone for mobile Near Field Communication (NFC) use.
For more information on tokenisation, refer to the Tokenisation Service Guide.
Updated 3 months ago