This Server-to-Server guide describes how you can store the data, create an external token
with the third party vendor and then subsequently use the token for the payment.
To collect card data, you must be PCI-DSS compliant. To minimize your compliance requirements,
please use COPYandPAY External Tokens.
The merchant collects card data from shopper and initiates external tokenization. No payment request/flow involved.
An external token is synchronously created with the third party vendor and returned to the merchant along
with the registration token. Either the registration token or the external token, can then be used in
subsequent payments.
Send the tokenization request to the external third party vendor.
Transactions:
1. Create the token
Perform a server-to-server POST request with createToken=EXTERNAL and the required customer data,
but excluding paymentType. The response to a successful request is an id and a
tokenAccount.number to have one of them stored and used in subsequent payments.
Sample request:
Tokenization during payment
The merchant collects card data from shopper and initiates tokenization along an account verification (zero amount auth) or
initial purchase. An external token is synchronously created with the third party vendor and returned to the merchant along with the
registration token once payment is complete. Either the registration token or external token, can then be used in
subsequent payments.
Send the tokenization request to the external third party vendor once the payment ends successfully.
Transactions:
1. Create the token during payment
Perform a server-to-server POST request with createToken=EXTERNAL and all required payment and customer
data, including payment type, amount and currency. The response to a successful request is a registrationId and a
tokenAccount.number to have one of them stored and used in subsequent payments.
that should be stored and used in subsequent payments.
Sample request:
Payment via registration token
The merchant has the registration token stored and initiates a subsequent payment based on the card-on-file agreement available
with the shopper. It can be a cardholder (CIT) or merchant (MIT) initiated payment transaction. The authorization with the third
party vendor will be performed with the external token linked to the registration token.
Send the payment request using the stored registration token (shopper is not present) that has the external token linked.
Transactions:
1. Send payment using the registration token
Perform a server-to-server POST request over the stored registration token with all required payment and customer data,
including payment type, amount and currency.
Sample request:
Payment with external token
The merchant has the external token stored and initiates a subsequent payment based on the card-on-file agreement available
with the shopper. It can be a cardholder (CIT) or merchant (MIT) initiated payment transaction. The authorization with the third
party vendor will be performed with the external token.
Send the payment request using the external token.
Transactions:
1. Send payment using the external token
Perform a server-to-server POST request using thetokenAccount.number as a third party vendor external token with all required payment and customer data,
including payment type, amount and currency.
Sample request:
Update external token
The merchant has the registration token stored and initiates an external token update with the new collected raw card details.
The external token is linked to the registration token.
Send the update request to retain the token for a longer period of time.
Transactions:
1. Update token with new data
Perform a server-to-server POST request over the stored registration token with all the new collected card details.
Sample request:
Delete external token
The merchant has the registration token stored and initiates an external token deletion via the registration token.
The deleted token cannot be used anymore in subsequent payments.
