Tokenizing cards

Saving and Reusing Cards

With Cartão Protegido , you can safely save your client's credit card in accordance with the PCI standards. The API saves and encrypts card data (holder name, number, flag and expiration date) into a token, which we call CardToken.

The token enables the sending and processing of transactions and guarantees the integrity of stored cards. In addition, we generate a new token for each transaction from the same buyer.

In addition to generating a card token, you can associate a name (identifier in text format) with the saved card. This identifier will be the Alias.

Warning: The Protected Card does not save the card's CVV. Therefore:

• The buyer must fill in the CVV for each transaction;
• Your store can carry out transactions without the CVV as long as it is authorized by the acquirer.

⚠️

For safety reasons, it's only possible to save cards that pass the Luhn Algorithm, also known as "mod10".

ℹ️

Important

• This feature is valid for credit cards;
• It is possible to tokenize credit cards in the e-wallet, whether they are encrypted or decrypted. The merchant must have the tokenization service contracted and the SaveCard parameter must be set to "true".

Saving a card during authorization

To save a credit card used in a transaction, simply send the Payment.SaveCard parameter as "true" in the standard authorization request. The card number used can be validated using the mod10 technique, explained in this article.

Below you can see the representation of the transactional flow with the token request via the Payment Gateway API:

See also direct tokenization flows with the API Cartão Protegido, with the API VerifyCard services option.

Creating a Card Token Transaction

This is an example of how to use the previously saved CardToken to create a transaction.

For security reasons, a CardToken doesn't include the Security Code (CVV). Therefore, you must request this information from the holder for each new transaction. If your merchant location is set to "recurring", you can submit transactions without the CVV.

To transact without the CVV, request authorization from your acquirer.

The CreditCard node inside the Payment node will send the CardToken.

Creating a Transaction with Alias

This is an example of how to use the previously saved Alias to create a transaction. The Alias ​​is a name (identifier in text format) associated with the saved card.

For security reasons, an Alias ​​does not store the Security Code (CVV). Therefore, your application needs to request this information from the holder for each new transaction and send the CVV in the CreditCard.SecurityCode field.

To transact without the CVV, request authorization from your acquirer.

Exporting and importing card tokens

You are able to export card tokens (CardToken) stored in the vault for use in other payment providers and also to to Cielo the tokenized cards created by your store in other tokenization services.

• Exporting a card token: when the merchant exports their card tokens token to be used in other payment providers. This process is subject to charges, and there are other requirements such as signing a responsability agreement, inform the PCI DSS certificate for the token destination entity, prepare the SFTP environment, provide a public PGP key and inform the credentials. For further information about this process, plase refer to Exportação de tokens do Cartão Protegido or contact Support;
• Importing a card token: when the merchant imports card tokens created in any other tokenization service to Braspag. In order to import a set of card tokens, the merchant must list every card token in a layout provided by Braspag, prepare the SFTP environment, inform the credentials and use the public Braspag/Cielo PGP key. For further information about this process, contact Support.

To ensure the export and import process is secure, we use PGP encryption. Please copy below the Braspag/Cielo public key to import tokens.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: User-ID:  Infra Estrutura <[email protected]>
Comment: Created:  6/1/2016 3:50 PM
Comment: Type:  2,048-bit RSA (secret key available)
Comment: Usage:  Signing, Encryption, Certifying User-IDs
Comment: Fingerprint:  79F726DE4826AA22D889C2A23EF692D49108FBCA


mQENBFdPLo0BCADTvdf6RVTu+FR9Wdh0KFEfMKT0/WWSoVHyqZ0yCw5vBLnu8U43
ooEFQd3vaFB8jMEDLfbZOFeHUjk9KdRbvfmoJuidG+smIHvcBwOIwmKL0A46Yp1w
saDIMUWK8WQdmghoQDJr4Rfsl/lkS1fSVfVM7Mu4uiHS6+TiEIjkF2mSzvLUccgq
chI63rEP7Tbdaa4IP6R618+o8Wyeq/Obm6ZVTtCbHdbtkJRbkvmfLbUvNbkkvhZJ
fNBcsaK1UjwoHDpTicLF7c9B8mWaTMO+NMTSfQCuELpEaYJ939WXshHO8U4DOojn
nbzWM154sTcOBTIiwI6LnYlg2zHgKLgMZkvBABEBAAG0LkluZnJhIEVzdHJ1dHVy
YSA8aW5mcmEuc3Vwb3J0ZUBicmFzcGFnLmNvbS5icj6JATkEEwEIACMFAldPLo0C
GwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRA+9pLUkQj7ys0FB/kB04px
GFmmOHQDTmCnhZenjuIJeRz0CiCnltPqy9Iwuy2wZDctfBTOZ0c7oLADEgSnNE09
kJH9YdTFVvi6iJavlzOCkWqVs7pLKgxFJ05QE5BGI3h5iIJDFPX4+bnrntH0Ae4j
244zL9NWHEK6tzRYDYud5JeaBxNCgkrHf0PPGEZ3kKZBPXmcJO0xLgVpMc6hY40p
NY/KRw7CBmhLsjGnJb3C113valX7Ut/STicfdz7cKWDBqVjFcUewkDDAB+QhvYPB
LlRFDzmYSc5TOKhDPaz/OeQ/rCAFdkWNv4TOw6VhngS1bptZb/hxcVMrf0CWNQhp
kHXRCkP28Xaxg9mYuQENBFdPLo0BCADEyPLelCOIMmoBRPkj4dYeH/JHnVHbUcT4
H+aBwRYXpI8RALshW2C9rIffRyaTvz9qCApC0lQNQdfLvnWyuhj/RcgTVB6/+kno
KHWK6r4ftXdDzwXdfjFM23rfIq4OlU8+gvdY6Mr74UuiXuI9hNxEyaXjw5vmbgdV
Gcb5lHOgzzrt1zwKhu8znQJobTgUHovDxQ8Rz3Q3kfjeE6+fnpxYQ4NI93St5c5P
BLsRBPpVs6M7aREHvkmX0Xj5GP/QVgX7k/0Cshz3pbc4z78RIx2dtOGhUzPFKIJq
SVSexeorb2agT/9PBx8rbuoq3YGlDj1SFBMiJazinw3sGubUAN53ABEBAAGJAR8E
GAEIAAkFAldPLo0CGwwACgkQPvaS1JEI+8r9mggAzS/ceU8sLDr1QUAHXRV8iL69
Jo8Io4Jx6Q2PGJaVAx4to/UetkWUpVvuEYBtajh+RnonVk1+By7dx4GX0Kz90Fm8
wCQtXMC6mVSXnAl17zWIfw6zS+s1x7Tv4fSdXPLdZYE0EZoGKpxboVH0FpdxW6kX
0HZ+cjGBkHZhN7ZidYKdfP4PmTv50jJCQxPyQ7ZR+XXGTuelG+P/Y7EJJmVymu6F
lxOLUh3DFk4mM5AdEvxglH9fN4j4W0r2jVt3TTvxDGzB3DcFPL5a75hxK4GJpLwM
46sGNVcx+IJeLWadggFONy2tM8cfKZsDS0VlFq/BrJmdv/vDn9MkZxZH10faDQ==
=LLpM
-----END PGP PUBLIC KEY BLOCK-----