Save card (with system-generated token)

Request for the gateway to store card information against a token, where the system generates the token id.

Note: The behaviour of this call depends on two aspects of your token repository configuration: Token Generation Strategy (either Merchant-Supplied, Random or Preserve 6.4) and Token Management strategy (Unique Card or Unique Token). For more information, see How to Configure Tokenization. Your Token Generation Strategy and Token Management Strategy will be configured by your gateway provider for you.

If you are configured to use a Random or Preserve 6.4 token generation strategy, use this call to create the token. If you use a Merchant-Supplied generation strategy, do not use this call.

Typically, this call will return a new token. However, if you are configured to use a Unique Card Number repository and the supplied card number has been previously stored against an existing token, we will return that token.

POST https://na.gateway.mastercard.com/api/rest/version/5 / merchant / {merchantId} / token

Authentication Copied to clipboard

This operation requires authentication via one of the following methods:


  • Certificate authentication.
  • Basic HTTP authentication as described at w3.org. To authenticate to the API, leave the userid portion (to the left of the colon) blank and fill the password section with the API password provided to you.

Request Copied to clipboard

URL Parameters Copied to clipboard

{merchantId} Copied to clipboard Alphanumeric + additional characters REQUIRED

The unique identifier issued to you by your payment provider.


Data may consist of the characters 0-9, a-z, A-Z, '-', '_'

Min length: 1 Max length: 40

Fields Copied to clipboard

To view the optional fields, please toggle on the "Show optional" setting.

cardDetails Copied to clipboard REQUIRED

The card details, which may be represented by combining one or more of the following: Card Details, Form Session Id and/or Card Token.

Precedence rules will be applied in that order, i.e. Card Details will override From Session details which will override Card Token details. Each of these may represent partial details, however the combination must result in a full and complete set of card details. See Using Multiple Sources of Card Details for examples.

cardDetails.card Copied to clipboard
cardDetails.card.expiry Copied to clipboard

Expiry date, as shown on the card.

cardDetails.card.expiry.month Copied to clipboard Digits REQUIRED

Month, as shown on the card.

Months are numbered January=1, through to December=12.

Data is a number between 1 and 12 represented as a string.

cardDetails.card.expiry.year Copied to clipboard Digits REQUIRED

Year, as shown on the card.

The Common Era year is 2000 plus this value.

Data is a string that consists of the characters 0-9.

Min length: 2 Max length: 2
cardDetails.card.number Copied to clipboard Digits

Credit card number as printed on the card.

Data is a string that consists of the characters 0-9.

Min length: 9 Max length: 19
cardDetails.card.securityCode Copied to clipboard Digits

Card verification code, as printed on the back or front of the card.

Data is a string that consists of the characters 0-9.

Min length: 3 Max length: 4
cardDetails.cardToken Copied to clipboard Alphanumeric

Uniquely identifies a card and associated details.

Data may consist of the characters 0-9, a-z, A-Z

Min length: 1 Max length: 40
cardDetails.session Copied to clipboard ASCII Text

Session carrying the card details to be used.

Data consists of ASCII characters

Min length: 31 Max length: 35
cardVerificationStrategy Copied to clipboard Enumeration

The strategy that should be used to verify the card details on the request.

If not provided the verification strategy on the merchant profile will be used to verify the card details on the request.

Used to nominate which type of Card Verification to use when card details are stored in the token repository. This setting overrides the default settings in Merchant Manager.

Value must be a member of the following list. The values are case sensitive.

ACQUIRER

Verifies that the card is valid by performing an Authorize transaction for an nominal amount (e.g.$1.00)

BASIC

Verifies the card number is valid and that the card number falls within a valid BIN range

NONE

No verification of the card details are performed

correlationId Copied to clipboard String

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
transaction.currency Copied to clipboard Upper case alphabetic text

The currency which should be used for acquirer card verification.

Not required for basic verification.

Data must consist of the characters A-Z

Min length: 3 Max length: 3

Response Copied to clipboard

Fields Copied to clipboard

card Copied to clipboard
card.expiry Copied to clipboard

Expiry date, as shown on the card.

card.expiry.month Copied to clipboard Digits ALWAYS PROVIDED

Month, as shown on the card.

Months are numbered January=1, through to December=12.

Data is a number between 1 and 12 represented as a string.

card.expiry.year Copied to clipboard Digits ALWAYS PROVIDED

Year, as shown on the card.

The Common Era year is 2000 plus this value.

Data is a string that consists of the characters 0-9.

Min length: 2 Max length: 2
card.number Copied to clipboard Masked digits

The account number embossed onto the card.

The number will be masked according to your masking settings and how you authenticated your call to the API.

If you authenticated using certificate authentication, then your masking settings will be used. This allows you to return unmasked card numbers if you have chosen not to apply masking.

If you authenticated to the API by a means other than certificate authentication, then the card number will be returned with your masking settings or 6.4; whichever is more restrictive for example, 000000xxxxxx0000.

Data is a string that consists of the characters 0-9, plus 'x' for masking

Min length: 9 Max length: 19
card.scheme Copied to clipboard Enumeration

The card scheme e.g. AMEX, DISCOVER, DINERS_CLUB, JCB, MASTERCARD, UATP VISA.

Only card schemes which can be identified by distinct BIN ranges are included in this list. All other card schemes are included under "Other"

Value must be a member of the following list. The values are case sensitive.

AMEX

American Express

CHINA_UNIONPAY

China UnionPay

DINERS_CLUB

Diners Club

DISCOVER

Discover

JCB

JCB (Japan Credit Bureau)

MASTERCARD

MasterCard

OTHER

The scheme of the card used in the transaction could not be identified.

RUPAY

RuPay

UATP

UATP (Universal Air Travel Plan)

VISA

Visa

cardToken Copied to clipboard Alphanumeric

Uniquely identifies a card and associated details.

The format of this token id depends on the Tokenization Strategy configured for the merchant:

  • RANDOM_WITH_LUHN: Token is 16 digits long, starts with 9, and is in the format of 9nnnnnnnnnnnnnnC, where n represents any number, and C represents a check digit such that the token will conform to the Luhn algorithm.
  • PRESERVE_6_4: The first 6 and last 4 digits of the token are the same as the first 6 and last 4 digits of the provided card number, middle digits are randomized, the token id does NOT conform to Luhn algorithm.
  • MERCHANT_PROVIDED: The merchant must supply the token id in the Save request

Data may consist of the characters 0-9, a-z, A-Z

Min length: 1 Max length: 40
correlationId Copied to clipboard String

A transient identifier for the request, that can be used to match the response to the request.

The value provided is not validated, does not persist in the gateway, and is returned as provided in the response to the request.

Data can consist of any characters

Min length: 1 Max length: 100
response.gatewayCode Copied to clipboard Enumeration

Summary of the success or otherwise of the Save operation.

Value must be a member of the following list. The values are case sensitive.

ACQUIRER_VERIFICATION_BLOCKED

The acquirer verification transaction was blocked due to risk rules.

ACQUIRER_VERIFICATION_DECLINED

The card details were sent to the acquirer for verification, but the transaction was declined.

ACQUIRER_VERIFICATION_DECLINED_AUTHENTICATION_REQUIRED

The card details were sent for verification, but were declined as authentication required.

ACQUIRER_VERIFICATION_DECLINED_EXPIRED_CARD

The card details were sent to the acquirer for verification, but the transaction was declined as the card has expired.

ACQUIRER_VERIFICATION_DECLINED_INVALID_CSC

The card details were sent to the acquirer for verification, but the transaction was declined as the Card Security Code (CSC) was invalid.

ACQUIRER_VERIFICATION_PROCESSING_ERROR

There was an error processing the verification transaction.

ACQUIRER_VERIFICATION_SUCCESSFUL

The card details were successfully verified with the acquirer.

BASIC_VERIFICATION_SUCCESSFUL

The card number format was successfully verifed and the card exists in a range known by the gateway.

NO_VERIFICATION_PERFORMED

The card details were not verified.

result Copied to clipboard Enumeration ALWAYS PROVIDED

A system-generated high level overall result of the Save operation.

Value must be a member of the following list. The values are case sensitive.

FAILURE

The operation was declined or rejected by the gateway, acquirer or issuer

PENDING

The operation is currently in progress or pending processing

SUCCESS

The operation was successfully processed

UNKNOWN

The result of the operation is unknown

Errors Copied to clipboard

error Copied to clipboard

Information on possible error conditions that may occur while processing an operation using the API.

error.cause Copied to clipboard Enumeration

Broadly categorizes the cause of the error.

For example, errors may occur due to invalid requests or internal system failures.

Value must be a member of the following list. The values are case sensitive.

INVALID_REQUEST

The request was rejected because it did not conform to the API protocol.

REQUEST_REJECTED

The request was rejected due to security reasons such as firewall rules, expired certificate, etc.

SERVER_BUSY

The server did not have enough resources to process the request at the moment.

SERVER_FAILED

There was an internal system failure.

error.explanation Copied to clipboard String

Textual description of the error based on the cause.

This field is returned only if the cause is INVALID_REQUEST or SERVER_BUSY.

Data can consist of any characters

Min length: 1 Max length: 1000
error.supportCode Copied to clipboard String

Indicates the code that helps the support team to quickly identify the exact cause of the error.

This field is returned only if the cause is SERVER_FAILED or REQUEST_REJECTED.

Data can consist of any characters

Min length: 1 Max length: 100
result Copied to clipboard Enumeration

A system-generated high level overall result of the operation.

Value must be a member of the following list. The values are case sensitive.

ERROR

The operation resulted in an error and hence cannot be processed.