Token Management Service
Developer Guide

This developer guide is written for merchants who want to tokenize customers’ sensitive personal information and eliminate payment data from their networks to ensure that it is not compromised. The purpose of this guide is to help you create and manage tokens.

Conventions

These special statements are used in this document:
IMPORTANT
An
Important
statement contains information essential to successfully completing a task or learning a concept.
WARNING
A
Warning
contains information or instructions, which, if not heeded, can result in a security risk, irreversible loss of data, or significant cost in time or revenue or both.

Related Documentation

Refer to the Technical Documentation Hub in the
Cybersource
Developer Center for additional technical documentation:

Customer Support

For support information about any service, visit the Support Center:

Recent Revisions to This Document

24.11

Instrument Identifier Tokens
Added push provisioning to the list of supported features for instrument identifier tokens. See Instrument Identifier Tokens.
Message-Level Encryption Keys
Added a statement about creating MLE keys for multiple merchants. See Message-Level Encryption Keys.
Network Tokens
Added support for push provisioning for network tokens. See Push Provisioning for Network Tokens.
Test Card numbers
Updated the list of test card numbers for network token provisioning. See Test Card Numbers.
Token Requestor IDs
Added steps for entering the acquirer ID during token requestor ID enrollment. See Token Requestor IDs.
Token Management Service
Workflows
Added a workflow for push provisioning. See Push Provisioning Process.

24.10

BIN Request
Added support for retrieving BIN details in a
TMS
request. See BIN Lookup Service and TMS.
Network Tokens
Added support for deleting a standalone network token. See Delete a Standalone Network Token.
HTTP Status Codes
Added the
502
HTTP status code. See HTTP Status Codes.

24.09

Unmasked Payment Details
Network Tokens
Added support for provisioning a network token for a card and consumer ID. See Provision a Network Token for a Consumer.
Added support for provisioning a network token for a token. See Provision a Network Token for a Token.
Added support for retrieving a network token. See Retrieve a Standalone Network Token.
Added
EXPIRED
as a network token status. See Network Token Life-Cycle Management.
Message-Level Encryption Keys
Added information about extracting the public key. See Message-Level Encryption Keys.

24.08

Test Card Numbers
Updated test card numbers for provisioning network tokens. See Test Card Numbers.

24.07

Card Art
Added support for retrieving card art for an instrument identifier token. See Card Art.
Token Vault Management
Added support for configuring token vault access and network tokenization using the
Business Center
. See Configure the Token Vault Access Using the Business Center and Configure Network Tokenization Using the Business Center.

24.06

Enrollable Tokens
Added support for creating an instrument identifier token for an enrollable token. See Create an Instrument Identifier for Enrollable Network Tokens.
Instrument Identifier Tokens
Added information on enrollable tokens to instrument identifier token overview. See Instrument Identifier Tokens.
Network Tokens
Updated terms of use for network tokens to include Card Art. See TERMS OF USE APPLICABLE TO CARD NETWORK TOKENS.
Token Vault Management
Added support for using the
Business Center
to configure a token vault. See Configure the Token Vault Settings Using the Business Center.

24.05

Network Tokens
Updated terms of use for network tokens. See TERMS OF USE APPLICABLE TO CARD NETWORK TOKENS.
Added note for processing network tokens with American Express. See Network Tokens.

24.04

Network Tokens
Added terms of use for network tokens. See TERMS OF USE APPLICABLE TO CARD NETWORK TOKENS.

24.02

Message-Level Encryption Keys
Added information about creating message-level encryption keys. See Creating a Message-Level Encryption Key.
Token Management Service
Introduction
Updated the graphic in the introduction to
Token Management Service
. See Introduction to the Token Management Service.
Instrument Identifier Tokens
Added an example for authorizing a payment using an instrument identifier and creating tokens. See REST Example: Authorizing a Payment with an Instrument Identifier While Creating TMS Tokens.

24.01

Added Network Token Life-Cycle Management reports. See Network Token Life-Cycle Management Reports.
Token Management Service Developer Guide

VISA Platform Connect: Specifications and Conditions for Resellers/Partners

The following are specifications and conditions that apply to a Reseller/Partner enabling its merchants through
Cybersource for Visa Platform Connect (“VPC”) processing
. Failure to meet any of the specifications and conditions below is subject to the liability provisions and indemnification obligations under Reseller/Partner’s contract with Visa/Cybersource.
  1. Before boarding merchants for payment processing on a VPC acquirer’s connection, Reseller/Partner and the VPC acquirer must have a contract or other legal agreement that permits Reseller/Partner to enable its merchants to process payments with the acquirer through the dedicated VPC connection and/or traditional connection with such VPC acquirer.
  2. Reseller/Partner is responsible for boarding and enabling its merchants in accordance with the terms of the contract or other legal agreement with the relevant VPC acquirer.
  3. Reseller/Partner acknowledges and agrees that all considerations and fees associated with chargebacks, interchange downgrades, settlement issues, funding delays, and other processing related activities are strictly between Reseller and the relevant VPC acquirer.
  4. Reseller/Partner acknowledges and agrees that the relevant VPC acquirer is responsible for payment processing issues, including but not limited to, transaction declines by network/issuer, decline rates, and interchange qualification, as may be agreed to or outlined in the contract or other legal agreement between Reseller/Partner and such VPC acquirer.
DISCLAIMER: NEITHER VISA NOR CYBERSOURCE WILL BE RESPONSIBLE OR LIABLE FOR ANY ERRORS OR OMISSIONS BY THE VISA PLATFORM CONNECT ACQUIRER IN PROCESSING TRANSACTIONS. NEITHER VISA NOR CYBERSOURCE WILL BE RESPONSIBLE OR LIABLE FOR RESELLER/PARTNER BOARDING MERCHANTS OR ENABLING MERCHANT PROCESSING IN VIOLATION OF THE TERMS AND CONDITIONS IMPOSED BY THE RELEVANT VISA PLATFORM CONNECT ACQUIRER.
Token Management Service Developer Guide

TERMS OF USE APPLICABLE TO CARD NETWORK TOKENS

The following terms and conditions govern your use, receipt and/or possession of Card Network Tokens.
  1. DEFINTIONS.
    Capitalized terms used herein shall have the following meanings:
    1. Card Network PAN
      ” means a number that is associated with a Payment Network for purposes of card transactions, all in accordance with Payment Network Rules.
    2. Card Network Token
      ” means a number provided by Cybersource pursuant to your use of Token Management Service (“TMS”) that (i) is mapped to and is a surrogate for a Card Network PAN; and (ii) to use the underlying Card Network PAN number in accordance with the Cybersource Documentation.
    3. Payment Network Rules
      ” means the operating rules, bylaws, schedules, supplements and addenda, manuals, instructions, releases, specifications and other requirements, as may be amended from time to time, of any of the Payment Networks.
    4. Payment Network(s)”
      means Visa, MasterCard, American Express, Discover Financial Services, and any affiliates thereof or any other payment network applicable to these Terms.
  2. LIMITATIONS ON USE OF CARD NETWORK TOKENS.
    You agree to the following with respect to your use, receipt and/or possession of Card Network Tokens:
    1. You shall not maintain or create a mapping of the Card Network Token to the associated Card Network PAN.
    2. Upon request by Cybersource and/or the applicable Payment Network, you shall use commercially reasonable efforts to delete any or all of the Card Network Tokens. You acknowledge and agree that Cybersource or the applicable Payment Network may request that you delete any Card Network Token at their sole discretion.
    3. You shall not initiate any transaction with a Card Network Token without appropriate consent from and disclosures to the cardholder, including any necessary consents in order for the applicable Payment Network to receive, store, process and share any data in order to deliver the token service. Except as authorized in accordance with the applicable Payment Network Rules, you must use the Card Network Token only for transactions that are authorized, cleared and settled through the applicable Payment Network.
    4. You shall not use a Card Network Token in a manner that a Card Network PAN cannot be used under the applicable Payment Network Rules. You agree that your responsibility for use of Card Network Tokens is the same as your responsibilities for use of Account Numbers under the applicable Payment Network Rules.
    5. You agree that the Payment Network Rules govern your relationship with the applicable Payment Network and use of Card Network Tokens as if the Card Network Tokens were Card Network PANs. You must comply with all applicable Payment Network Rules, as determined by the applicable Payment Network.
    6. You agree that any Card Network Tokens will be stored in compliance with PCI-DSS and such storage is subject to your representations and warranties set forth in the applicable agreement between you and Cybersource.
    7. If you are a Reseller or Partner, to enable American Express Network Tokens, you must have a direct acquiring or processing agreement signed with American Express in order to support American Express Network Tokens on behalf of your merchants.
  3. CARD ART.
    Cybersource may pass through rights allowing you to use, reproduce, display and provide issuers’ trademarks and issuer-provided card art (collectively, "Issuer IP") on a non- exclusive basis in strict accordance with the meta-data made available to you and such issuers’ branding guidelines (which may be updated by issuer from time to time), for use and display solely for use with Card Network Tokens provisioned via TMS. You agree that you will not and will not cause your affiliates or agents to alter the meta-data in any way.
Token Management Service Developer Guide