Save card

Request for the gateway to store card information against a token, where you provide the token id.

Note: The behaviour of this call depends on two aspects of your token repository configuration: Token Generation Strategy (either Merchant-Supplied, Random or Preserve 6.4) and Token Management strategy (Unique Card or Unique Token). For more information, see How to Configure Tokenization. Your Token Generation Strategy and Token Management Strategy will be configured by your gateway provider for you.

For all repository configurations, you can use this call to update the data for a token. If you use a Merchant-Supplied generation strategy, you also use this call to create the token. However, to maintain the repository rules, the gateway will reject your request and generate an error if:

  • You are using a Preserve 6.4 repository and your request would change the card number. If we did not, we would break the 6.4 preservation rule.
  • You are using use a Unique Card Number repository and you attempt to update this token to a card number that is already assigned to another token. If we did not, we would have two tokens for the same card number, which would break the uniqueness rule.

URL https://na.gateway.mastercard.com/api/rest/version/20/merchant/{merchantId}/token/{tokenid}
HTTP Method PUT
Authentication This operation requires authentication via one of the following methods:
  • Certificate authentication.
  • Basic HTTP authentication as described at w3.org. Provide 'merchant.<your gateway merchant ID>' in the userid portion and your API password in the password portion.

Request Parameters

sourceOfFunds   = COMPULSORY

Depending on the payment type the source of the funds can be a debit or credit card, bank account, or account with a browser payment provider (such as PayPal).

For card payments the source of funds information may be represented by combining one or more of the following: explicitly provided card details, a session identifier which the gateway will use to look up the card details and/or a card token. Precedence rules will be applied in that explicitly provided card details will override session card details which will override card token details. Each of these may represent partial card details, however the combination must result in a full and complete set of card details. See Using Multiple Sources of Card Details for examples.
Fixed value

sourceOfFunds.type  Enumeration = COMPULSORY

Existence
COMPULSORY
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
CARD
The customer selected to pay using a credit or debit card. The payer's card details must be provided.

cardVerificationStrategy  Enumeration = OPTIONAL

If not provided the verification strategy on the merchant profile will be used to verify the card details on the request.
Existence
OPTIONAL
Fixed value
Validation Rules
Used to nominate which type of Card Verification to use when card details are stored in the token repository. This setting overrides the default settings in Merchant Manager.
JSON type
String
Value must be a member of the following list. The values are case sensitive.
ACQUIRER
Verifies that the card is valid by performing an Authorize transaction for an nominal amount (e.g.$1.00)
BASIC
Verifies the card number is valid and that the card number falls within a valid BIN range
NONE
No verification of the card details are performed

correlationId  String = OPTIONAL

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.
Existence
OPTIONAL
Fixed value
Validation Rules
Data can consist of any characters
XSD type
string
minimum length
1
maximum length
100

responseControls   = OPTIONAL

Container for fields that control the response returned for the request.
Fixed value

responseControls.sensitiveData  String = OPTIONAL

Existence
OPTIONAL
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
50

session.id  ASCII Text = OPTIONAL

Values provided in the request will override values contained in the session.
Existence
OPTIONAL
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
31
maximum length
35

sourceOfFunds   = COMPULSORY

Depending on the payment type the source of the funds can be a debit or credit card, bank account, or account with a browser payment provider (such as PayPal).

For card payments the source of funds information may be represented by combining one or more of the following: explicitly provided card details, a session identifier which the gateway will use to look up the card details and/or a card token. Precedence rules will be applied in that explicitly provided card details will override session card details which will override card token details. Each of these may represent partial card details, however the combination must result in a full and complete set of card details. See Using Multiple Sources of Card Details for examples.
Fixed value

sourceOfFunds.provided   = OPTIONAL

For browser payments, the source of funds details are usually collected from the payer on the payment provider's website and provided to you when you retrieve the transaction details (for a successful transaction). However, for some payment types (such as giropay), you must collect the information from the payer and supply it here.
Fixed value

sourceOfFunds.provided.card   = OPTIONAL

Details as shown on the card.
Fixed value

sourceOfFunds.provided.card.expiry   = OPTIONAL

Expiry date, as shown on the card.
Fixed value

sourceOfFunds.provided.card.expiry.month  Digits = COMPULSORY

Months are numbered January=1, through to December=12.
Existence
COMPULSORY
Fixed value
Validation Rules
Data is a number between 1 and 12 represented as a string.
JSON type
String

sourceOfFunds.provided.card.expiry.year  Digits = COMPULSORY

The Common Era year is 2000 plus this value.
Existence
COMPULSORY
Fixed value
Validation Rules
Data is a string that consists of the characters 0-9.
JSON type
String
minimum length
2
maximum length
2

sourceOfFunds.provided.card.number  Digits = OPTIONAL

Existence
OPTIONAL
Fixed value
Validation Rules
Data is a string that consists of the characters 0-9.
JSON type
String
minimum length
9
maximum length
19

sourceOfFunds.provided.card.securityCode  Digits = OPTIONAL

Existence
OPTIONAL
Fixed value
Validation Rules
Data is a string that consists of the characters 0-9.
JSON type
String
minimum length
3
maximum length
4

sourceOfFunds.token  Alphanumeric = OPTIONAL

Existence
OPTIONAL
Fixed value
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z
JSON type
String
minimum length
1
maximum length
40

sourceOfFunds.type  Enumeration = COMPULSORY

Existence
COMPULSORY
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
CARD
The customer selected to pay using a credit or debit card. The payer's card details must be provided.

transaction.currency  Upper case alphabetic text = OPTIONAL

Not required for basic verification.
Existence
OPTIONAL
Fixed value
Validation Rules
Data must consist of the characters A-Z
JSON type
String
minimum length
3
maximum length
3

{merchantId}  Alphanumeric + additional characters COMPULSORY

Existence
COMPULSORY
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z, '-', '_'
XSD type
string
minimum length
1
maximum length
40

{tokenid}  Alphanumeric COMPULSORY

Existence
COMPULSORY
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z
XSD type
string
minimum length
1
maximum length
40

Response Parameters

result  Enumeration = Always Provided

Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The operation was declined or rejected by the gateway, acquirer or issuer
PENDING
The operation is currently in progress or pending processing
SUCCESS
The operation was successfully processed
UNKNOWN
The result of the operation is unknown

correlationId  String = CONDITIONAL

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.
Existence
CONDITIONAL
Fixed value
Validation Rules
Data can consist of any characters
XSD type
string
minimum length
1
maximum length
100

repositoryId  ASCII Text = CONDITIONAL

Token repositories can be shared across merchants; however, a single merchant can be associated with only one token repository at a given time. Every token repository has a corresponding test token repository, which only the merchants with the corresponding test profiles can access. For example, if the repository ID is ABC, the test repository ID will be TestABC. Hence, the system displays an error if you specify a repository ID that starts with 'Test'
Existence
CONDITIONAL
Fixed value
Validation Rules
Data consists of ASCII characters
JSON type
String
minimum length
1
maximum length
16

response.gatewayCode  Enumeration = CONDITIONAL

Existence
CONDITIONAL
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
BASIC_VERIFICATION_SUCCESSFUL
The card number format was successfully verified and the card exists in a known range.
EXTERNAL_VERIFICATION_BLOCKED
The external verification was blocked due to risk rules.
EXTERNAL_VERIFICATION_DECLINED
The card details were sent for verification, but were was declined.
EXTERNAL_VERIFICATION_DECLINED_AUTHENTICATION_REQUIRED
The card details were sent for verification, but were declined as authentication required.
EXTERNAL_VERIFICATION_DECLINED_EXPIRED_CARD
The card details were sent for verification, but were declined as the card has expired.
EXTERNAL_VERIFICATION_DECLINED_INVALID_CSC
The card details were sent for verification, but were declined as the Card Security Code (CSC) was invalid.
EXTERNAL_VERIFICATION_PROCESSING_ERROR
There was an error processing the verification.
EXTERNAL_VERIFICATION_SUCCESSFUL
The card details were successfully verified.
NO_VERIFICATION_PERFORMED
The card details were not verified.

result  Enumeration = Always Provided

Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
FAILURE
The operation was declined or rejected by the gateway, acquirer or issuer
PENDING
The operation is currently in progress or pending processing
SUCCESS
The operation was successfully processed
UNKNOWN
The result of the operation is unknown

sourceOfFunds   = CONDITIONAL

Details about the source of the funds for this payment.
Fixed value

sourceOfFunds.provided   = Always Provided

The details of the source of funds when they are directly provided as opposed to via a token or session.
Fixed value

sourceOfFunds.provided.card   = CONDITIONAL

Details as shown on the card.
Fixed value

sourceOfFunds.provided.card.brand  Enumeration = Always Provided

For many major card types this will match the scheme name. In some markets, a card may also be co-branded with a local brand that is recognized and accepted within its country/region of origin (see card.localBrand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
AMEX
American Express
CHINA_UNIONPAY
China UnionPay
DINERS_CLUB
Diners Club
DISCOVER
Discover
JCB
JCB (Japan Credit Bureau)
LOCAL_BRAND_ONLY
The card does not have a global brand.
MAESTRO
Maestro
MASTERCARD
MasterCard
RUPAY
RuPay
UATP
UATP (Universal Air Travel Plan)
UNKNOWN
The brand of the card used in the transaction could not be identified
VISA
Visa

sourceOfFunds.provided.card.expiry   = CONDITIONAL

Expiry date, as shown on the card.
Fixed value

sourceOfFunds.provided.card.expiry.month  Digits = Always Provided

Months are numbered January=1, through to December=12.
Existence
Always Provided
Fixed value
Validation Rules
Data is a number between 1 and 12 represented as a string.
JSON type
String

sourceOfFunds.provided.card.expiry.year  Digits = Always Provided

The Common Era year is 2000 plus this value.
Existence
Always Provided
Fixed value
Validation Rules
Data is a string that consists of the characters 0-9.
JSON type
String
minimum length
2
maximum length
2

sourceOfFunds.provided.card.fundingMethod  Enumeration = Always Provided

You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.
Existence
Always Provided
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
CHARGE
The payer has a line of credit with the issuer which must be paid off monthly.
CREDIT
The payer has a revolving line of credit with the issuer.
DEBIT
Funds are immediately debited from the payer's account with the issuer.
UNKNOWN
The account funding method could not be determined.

sourceOfFunds.provided.card.localBrand  Enumeration = CONDITIONAL

The card may also be co-branded with a brand name that is recognized and accepted globally (see card.brand).
You may use this information to support surcharging decisions. This information is gathered from 3rd party sources and may not be accurate in all circumstances.
Existence
CONDITIONAL
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
BANAMEX_COSTCO
Banamex Costco (Mexico)
BANKAXEPT
BankAxept (Norway)
CARNET
Carnet (Mexico)
CARTE_BANCAIRE
Carte Bancaire (France)
COSTCO_MEMBER_CREDIT
Costco Member Credit
EBT
Electronic Benefit Transfer (USA)
EFTPOS
Eftpos(Aus)
ELO
Elo (Brazil)
FARMERS
Farmers Card (New Zealand)
GIROCARD_JCB
Girocard (JCB)
GIROCARD_MAESTRO
Girocard (Maestro)
GIROCARD_VISA
Girocard (Visa)
LASER
Laser (Ireland)
OTHER
Other local card brand
PAGOBANCOMAT
PagoBANCOMAT (Italy)
Q_CARD
Q Card (New Zealand)
SORIANA
Soriana (Mexico)
TRUE_REWARDS
True Rewards (New Zealand)

sourceOfFunds.provided.card.number  Masked digits = CONDITIONAL

By default, the card number will be returned in 6.4 masking format, for example, 000000xxxxxx0000.If you wish to return unmasked card numbers, you must have the requisite permission, set responseControls.sensitiveData field to UNMASK, and authenticate your call to the API using certificate authentication.
Existence
CONDITIONAL
Fixed value
Validation Rules
Data is a string that consists of the characters 0-9, plus 'x' for masking
JSON type
String
minimum length
9
maximum length
19

sourceOfFunds.provided.card.scheme  Enumeration = CONDITIONAL

The card scheme also controls authorization and settlement of card transactions among issuers and acquirers.
Existence
CONDITIONAL
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
AMEX
American Express
CHINA_UNIONPAY
China UnionPay
DINERS_CLUB
Diners Club
DISCOVER
Discover
JCB
JCB (Japan Credit Bureau)
MASTERCARD
MasterCard
OTHER
The scheme of the card used in the transaction could not be identified.
RUPAY
RuPay
UATP
UATP (Universal Air Travel Plan)
VISA
Visa

sourceOfFunds.type  Enumeration = CONDITIONAL

Existence
CONDITIONAL
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
CARD
The customer selected to pay using a credit or debit card. The payer's card details must be provided.

token  Alphanumeric = CONDITIONAL

The format of this token id depends on the Tokenization Strategy configured for the merchant:
  • RANDOM_WITH_LUHN: Token is 16 digits long, starts with 9, and is in the format of 9nnnnnnnnnnnnnnC, where n represents any number, and C represents a check digit such that the token will conform to the Luhn algorithm.
  • PRESERVE_6_4: The first 6 and last 4 digits of the token are the same as the first 6 and last 4 digits of the provided card number, middle digits are randomized, the token id does NOT conform to Luhn algorithm.
  • MERCHANT_PROVIDED: The merchant must supply the token id in the Save request
Existence
CONDITIONAL
Fixed value
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z
JSON type
String
minimum length
1
maximum length
40

usage   = CONDITIONAL

Information about the token.
Fixed value

usage.lastUpdated  DateTime = CONDITIONAL

Existence
CONDITIONAL
Fixed value
Validation Rules
An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"
JSON type
String

usage.lastUpdatedBy  Alphanumeric + additional characters = CONDITIONAL

Existence
CONDITIONAL
Fixed value
Validation Rules
Data may consist of the characters 0-9, a-z, A-Z, '-', '_'
JSON type
String
minimum length
1
maximum length
40

usage.lastUsed  DateTime = CONDITIONAL

Existence
CONDITIONAL
Fixed value
Validation Rules
An instant in time expressed in ISO8601 date + time format - "YYYY-MM-DDThh:mm:ss.SSSZ"
JSON type
String

verificationStrategy  Enumeration = CONDITIONAL

If not provided, the verification strategy set on your merchant profile by your payment provider will be used.
Existence
CONDITIONAL
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
ACQUIRER
The gateway verifies the card details by performing an authorization for a nominal amount (for example, $1.00). The card details are sent to the acquirer for verification. This method requires your merchant profile to be configured with ""Auth Then Capture"" transaction mode.
BASIC
The gateway validates the card number format and checks if the card number falls within a valid BIN range.
NONE
The gateway does not perform card verification.

error   = CONDITIONAL

Information on possible error conditions that may occur while processing an operation using the API.
Fixed value

error.cause  Enumeration = CONDITIONAL

For example, errors may occur due to invalid requests or internal system failures.
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
INVALID_REQUEST
The request was rejected because it did not conform to the API protocol.
REQUEST_REJECTED
The request was rejected due to security reasons such as firewall rules, expired certificate, etc.
SERVER_BUSY
The server did not have enough resources to process the request at the moment.
SERVER_FAILED
There was an internal system failure.

error.explanation  String = CONDITIONAL

This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
1000

error.field  String = CONDITIONAL

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
100

error.supportCode  String = CONDITIONAL

This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.
Fixed value
Validation Rules
Data can consist of any characters
JSON type
String
minimum length
1
maximum length
100

error.validationType  Enumeration = CONDITIONAL

This field is returned only if the cause is INVALID_REQUEST and a field level validation error was encountered.
Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
INVALID
The request contained a field with a value that did not pass validation.
MISSING
The request was missing a mandatory field.
UNSUPPORTED
The request contained a field that is unsupported.

result  Enumeration = CONDITIONAL

Fixed value
Validation Rules
JSON type
String
Value must be a member of the following list. The values are case sensitive.
ERROR
The operation resulted in an error and hence cannot be processed.

Copyright © 2023 Mastercard