Tokenisation is a security technology which replaces the sensitive 16-digit Primary Account Number (PAN) that is typically embossed on a physical card with a unique payment
token (a digital PAN or DPAN) that can be used in payments and prevents the need to
expose or store actual card details. The DPANis used to make purchases in the same way as
a normal Financial PAN (FPAN).
Tokenisation enables cardholders to access mobile wallet functionality — provided by
companies such as Apple and Android — which allows payments to be made in store from a
smart device such as a smartphone or tokenised device. Tokenisation also helps merchants
to improve the security of online payment transactions by replacing the sensitive PAN card
details with a token and storing this instead. The token can then be used for repeat or
Both Mastercard and Visa offer a tokenisation service to card issuers. Mastercard offer the
Digital Enablement Service (MDES) and Visa offer the Visa Token Service (VTS); Thredd refer to
the Visa service as the Visa Digital Enablement Program (VDEP). Thredd supports both of these
Thredd do not share details of the FPAN or DPAN with Program Managers (Thredd clients). When a card is created on the Thredd system, we provide a unique public token that is linked to the card, and which can be used for queries and services on that card. The Thredd public token is for internal use only between Thredd and the Program Manager; it should not be confused with the payment token created during the tokenisation process.
Tokenisation requires the following participants:
The Cardholder enrols with a mobile wallet provider or registers at an online merchant website.
The token requestor initiates the request to convert your cardholder’s Permanent Account
Number (PAN) into a digital token. Token requestors can be mobile wallets (such as
ApplePay) or online merchants (such as Netflix). Mastercard refer to the Token Requestor as
the “Wallet Provider”.
The Token Service Provider is the party that generates the token and securely maps the PAN
to a token. This is the Visa (VDEP) or Mastercard (MDES) systems that run the token service.
The issuer host is Thredd , who receives the tokenisation request from Visa or Mastercard and
decides on whether to approve or decline. During the implementation phase of the project,
the issuer/Program Manager and Thredd work together to set up and create the token service.
- The cardholder enrols their card with a token requestor (either an online merchant or a mobile Wallet provider).
- The token requestor requests a new token from the token service provider (Visa/Mastercard).
- The token service provider creates the payment token (DPAN), containing EMV and other card data, to replace the cardholder’s FPAN. The token service provider sends a Token Activation Request (TAR) to the issuer host (Thredd ).
- Thredd decides if token activation can continue, based on the Thredd Configuration Options set up for your programme. (See Token Authorisation Options below.)
- With Thredd approval the token service provider (Visa/Mastercard) activates the new payment token and sends the newly created token to the token requestor.
- For an Online Merchant payment token, the token is stored for use on their website. For a Mobile Wallet payment token, it is installed on the phone for mobile Near Field Communication (NFC) use.
For more information on tokenisation, refer to the Tokenisation Service Guide.
Updated 5 months ago