Tokenizing cards
Saving and Reusing Cards
With Cartão Protegido , you can safely save your client's credit card in accordance with the PCI standards. The API saves and encrypts card data (holder name, number, flag and expiration date) into a token, which we call CardToken.
The token enables the sending and processing of transactions and guarantees the integrity of stored cards. In addition, we generate a new token for each transaction from the same buyer.
In addition to generating a card token, you can associate a name (identifier in text format) with the saved card. This identifier will be the Alias.
Warning: The Protected Card does not save the card's CVV. Therefore:
- The buyer must fill in the CVV for each transaction;
- Your store can carry out transactions without the CVV as long as it is authorized by the acquirer.
For safety reasons, it's only possible to save cards that pass the Luhn Algorithm, also known as "mod10".
Important
Saving a card during authorization
To save a credit card used in a transaction, simply send the Payment.SaveCard parameter as "true" in the standard authorization request. The card number used can be validated using the mod10 technique, explained in this article.
Below you can see the representation of the transactional flow with the token request via the Payment Gateway API:
See also direct tokenization flows with the API Cartão Protegido, with the API VerifyCard services option.
Creating a Card Token Transaction
This is an example of how to use the previously saved CardToken to create a transaction.
For security reasons, a CardToken doesn't include the Security Code (CVV). Therefore, you must request this information from the holder for each new transaction. If your merchant location is set to "recurring", you can submit transactions without the CVV.
To transact without the CVV, request authorization from your acquirer.
The CreditCard node inside the Payment node will send the CardToken.
Creating a Transaction with Alias
This is an example of how to use the previously saved Alias to create a transaction. The Alias is a name (identifier in text format) associated with the saved card.
For security reasons, an Alias does not store the Security Code (CVV). Therefore, your application needs to request this information from the holder for each new transaction and send the CVV in the CreditCard.SecurityCode field.
To transact without the CVV, request authorization from your acquirer.
Exporting and importing card tokens
You are able to export card tokens (CardToken) stored in the vault for use in other payment providers and also to to Cielo the tokenized cards created by your store in other tokenization services.
- Exporting a card token: when the merchant exports their card tokens token to be used in other payment providers. This process is subject to charges, and there are other requirements such as signing a responsability agreement, inform the PCI DSS certificate for the token destination entity, prepare the SFTP environment, provide a public PGP key and inform the credentials. For further information about this process, plase refer to Exportação de tokens do Cartão Protegido or contact Support;
- Importing a card token: when the merchant imports card tokens created in any other tokenization service to Braspag. In order to import a set of card tokens, the merchant must list every card token in a layout provided by Braspag, prepare the SFTP environment, inform the credentials and use the public Braspag/Cielo PGP key. For further information about this process, contact Support.
To ensure the export and import process is secure, we use PGP encryption.
Download the Braspag/Cielo public key to import tokens.
Updated 3 months ago