Tokens
A token is a unique string ID that references stored customer information (Wallet) or a customer's stored payment information (such as a credit card or an echeck). Tokens provide customers convenient, secure access to their billing, shipping, and payment information, making the checkout process faster and easier. For merchants, tokens provide a convenient method of collecting scheduled recurring payments.
PCI Compliance Requirements for Tokens
Merchants may choose to control their own token deployment model or use a tokenization service provider (TSP) like Forte to deploy a tokenization solution. Regardless of who controls the tokenization solution, it must adhere to the following PCI DSS requirements.
The tokenization solution
- Cannot provide PANs (i.e., credit or debit numbers) in any response to an application, network, system, or user outside the merchant/TSP-defined Cardholder Data Environment (CDE).
- Must be located on secure internal networks isolated from any untrusted and out-of-scope networks.
- Can only use trusted communications.
- Must enforce strong cryptography and security protocols to safeguard data when stored and during transmission over open, public networks.
- Must implement strong access controls and authentication measures in accordance PCI DSS requirements 7 and 8.
- Must adhere to strict configuration standards and be protected from vulnerabilities.
- Must support mechanisms for the secure deletion of cardholder data as required by a data-retention policy.
- Must implement logging, monitoring, and alerting as appropriate to identify any suspicious activity and initiate response procedures.
Forte's Tokenization Solution
The Forte platform supports tokens for customer (Wallet), payment ("paymethod"), and address data.
Customer Tokens (Wallets)
Customer tokens (Wallet) reference the following stored information:
- Paymethods token
- Billing address
- Shipping address
- Status
- First name
- Last name
- Company name
- Customer Id (External customer reference Id)
Paymethod Tokens
Paymethod tokens reference the following stored information within a permanent token (for recurring transactions) or a one-time-use token (for credit card transactions only):
- Label (customer-defined name for the payment method) (e.g., VISA - 1111)
- Status
- Credit card information (account number, expiration date, etc.)
- eCheck information (account number, routing number, account type, etc.)
NOTE: Paymethod tokens are associated with Customer Tokens when they're created. However, if no Customer Token is associated with a Paymethod Token when created, the Paymethod Token becomes clientless.
Address Tokens
Address tokens reference the following stored information:
- Label (customer-defined name for the address) (e.g., Home Address)
- First name
- Last name
- Company name
- Phone number
- Email address
- Address type
- Physical Address
- Street Line
- Locality
- Region
- Postal Code
Creating Tokens
Merchants can create customer and payment tokens in both Forte Checkout and the API web services.
Creating Tokens in Checkout
To create a token in Checkout, merchants must pass the following parameters in their button code:
"save_token"="true",
"customer_token"="",
"payment_token"=""
Forte returns the customer and payment tokens to the merchant in the callback message like the one displayed below:
{
"event":"success",
"method":"schedule",
"request_id":"5861c6fc-77ec-4ccd-ddf1-4aaf0eb309b2",
"version_number":"1.0",
"trace_number":"2648daca-bf23-4a1b-a789-44aa011e0ac6",
"customer_token":"10047617",
"payment_token":"14554238",
"total_amount":"5.00",
"signature":"31aa8d43c7f65092fcba9a0506b48dfd",
"utc_time":"635210891035249339",
"hash_method":"md5"
}
Creating Tokens Via Web Services
To create a token via web services, merchants make a POST
calls to one or both of the following endpoints:
/accounts/{id}/locations/{id}/customers
to create a customer token/accounts/{id}/locations/{id}/customers/{id}/paymethods
to create a paymethod token
The REST service creates the tokens and sends the values back to the merchant in a response call.
Token Compatibility
Tokens created in Forte Checkout or with Forte's RESTful web services are not compatible with products like Virtual Terminal, SWP, or Batch Transmission.
Token Sharing
Forte supports two models for sharing tokens:
- Sharing tokens across a Merchant’s Locations
- Sharing a parent Account’s tokens with a set of children Accounts (and corresponding Locations).
Method 1, sharing tokens across the Locations for a Merchant’s Account, works out-of-the-box with no additional setup required. Method 2, sharing a parent Account’s tokens with a set of children Accounts, requires a Partner relationship with Forte. We will need to provision you a special Partner Account where you will store the tokens that you intend to share with your children Merchant Accounts.
Method 1: Cross-Location Sharing
Merchants who have multiple Locations within their Account can use Cross-Location token sharing to share customer and payment information across each of their Locations. For example, a Merchant who is a national gym wants its members to be able to pay for goods and services at any of its locations without the need to re-capture payment information, which the gym already has tokenized and stored securely. With Cross-Location token sharing, any member can walk into any Location of the gym and have the exact same customer experience—whether they are in for a quick workout or if they need to purchase some incidentals that they may have left behind while traveling.
Method 2: Child Account Sharing
With this method, companies that operate a marketplace or act as an aggregator may share their stored customer and payment information with a multitude of sellers who are set up with their own processing Merchant Account. In this scenario, Forte sets up a partner with a Partner Account and all of the partner’s sub-merchants are set up immediately below the partner within a hierarchy as “child” Merchant Accounts. The Partner can now initiate Transactions to the child Merchant Accounts using the customer data that Forte stores at the Partner or “parent” level. NOTE: API access must be set at the Partner level in order to access data stored at the Partner level and initiate Transactions using the data that is tokenized at the Partner level.