PCI Proxy Dashboard ↗️Status Page

Use Network Tokens

Using Network Tokens in your payment infrastructure.

Suggest Edits

For compatible issuing banks and third-party receivers, Network Tokens can be used like regular FPANs to authorize payment transactions. Our Forward Proxy can be used to forward Network Tokens, including cryptograms, to the receiver of your choice. Depending on what your receiver is able to receive (Network Token or FPAN) and the format of the payload which you send to PCI Proxy, we can determine which of the two to send to the target.

📘

For PCI DSS level 1 compliant merchants we also offer to the option to receive plain Network Tokens and cryptograms via the Vault API detokenisation endpoint.

PCI Proxy to Network Token

When converting in this direction, we also request a new cryptogram at the schemes on the fly. Additionally, we also create other required values and populate them directly in your API request before forwarding it to the receiver. Such values may include the expiry rate, the ECI value of a Network Token, or token type.

Customer initiated payments

For these transactions, a cryptogram needs to be created at the point of authorization. This is because a cryptogram has a limited lifespan and must be sent to the payment service provider along with the Network Token.

Example: forwarding Network Tokens to the Datatrans Payment Gateway

1. Add the integration

Navigate to the Integrations menu in the Dashboard and add the relevant receiver for your project.

Add your Receiver integration in the Dashboard.

Add your Receiver integration in the Dashboard.

2. Check the integration

Check the Integration settings to see if it is ready to accept both Network Tokens and PANs. Review the payloads listed in the settings.

Check the payloads listed in the Settings.

Check the payloads listed in the Settings.

📘

If there is no Network Token payload in the integration, request a new integration.

Alternatively, reach out to us to provide us with the required information.

3. Build your request

Prepare your request payload according to what the receiver expects and send it to the forward proxy. The following examples convert a PCI Proxy token to either a Network Token or a PAN.

curl --request POST \
  --url https://sandbox.pci-proxy.com/v1/pull \
  --header 'Authorization: Basic {Datatrans merchantId}:{Datatrans password}' \
  --header 'Content-Type: application/json' \
  --header 'X-CC-MERCHANT-ID: {{pciProxyMerchantID}}' \
  --header 'X-CC-URL: https://api.sandbox.datatrans.com/v1/transactions/authorize' \
  --header 'pci-proxy-api-key: {{pciProxyApiKey}}' \
  --data '{
	"currency": "EUR",
	"amount": 1000,
	"refno": "test_nt",
	"card": {
		"type": "NETWORK_TOKEN",
		"token": "7LHXscqwAAEAAAGECbvb7UQKOtZpAL2C",
		"expiryMonth": "",
		"expiryYear": "",
		"tokenType": "",
		"cryptogram": "",
		"3D": {
			"eci": ""
		}
	}
}'

curl --request POST \
  --url https://sandbox.pci-proxy.com/v1/pull \
  --header 'Authorization: Basic {Datatrans merchantId}:{Datatrans password}' \
  --header 'Content-Type: application/json' \
  --header 'X-CC-MERCHANT-ID: {pciProxyMerchantId}' \
  --header 'X-CC-URL: https://api.sandbox.datatrans.com/v1/transactions/authorize' \
  --header 'pci-proxy-api-key: {{pciProxyAPIKey}}' \
  --data '{
  "currency": "EUR",
  "amount": 1000,
  "refno": "test_PAN",
  "card": {
    "number": "7LHXscqwAAEAAAGECbvb7UQKOtZpAL2C",
    "expiryMonth": "02",
    "expiryYear": "23"
    }
}'

As you can see, the payload structure is different if the target (in this case, the Datatrans Authorize endpoint) consumes Network Tokens or PANs.

For the Network Token example, you only need to send us the PCI Proxy token and leave the other Network Token fields empty in the payload, as we will take care of them. When cryptogram and eci value are requested, we write them, along with the rest of the missing values, such as expiryMonth, expiryYear and tokenType , all to empty fields before forwarding them to the target URL configured on the receiver.

📘

When testing in our sandbox, we recommend using the Traffic Inspector feature to see what PCI Proxy is converting to and what is being forwarded to the target's endpoint.

Example: request plain Network Tokens and cryptogram

1. Request access

As we are returning sensitive payment information this feature is only available by request and subject to approval by us. In any case you need to be a certified PCI DSS level 1 merchant. Please get in touch with our team to activate it for you.

2. Example request

Specify in your request if you want to de-tokenise into a Network Token and/or cryptogram. 

curl -L -X POST 'https://api.sandbox.datatrans.com/v1/aliases/detokenize' \
-H 'Authorization: Basic {PCIP merchantId}:{API password}' \
-H 'Content-Type: application/json' \
--data-raw '{
    "requests": [
        {
            "type": "CARD",
            "alias": "WCCx4SHgAAEAAAGJCu5p4HzJVqexAKTm",
            "networkTokenOptions": {
                "returnNetworkToken": true,
                "returnCryptogram": true
            }
        }
    ]
}'

{
    "overview": {
        "total": 1,
        "successful": 1,
        "failed": 0
    },
    "responses": [
        {
            "type": "CARD",
            "networkToken": {
                "token": "4622829030002523",
                "cryptogram": "AgAAAAAA51AlmmsAmZpHgrgAAAA=",
                "eci": "07",
                "expiryMonth": "07",
                "expiryYear": "27"
            }
        }
    ]
}

Updated 2 months ago