Tokenisation

This feature creates a token of shopper's data without an initial payment. This token can be used in place of real card data to bill the cardholder next time a transaction takes place. Tokenisation eliminates the risk of having the card data of customers compromised in the event of an intrusion into your systems. 

Adyen offers two ways to tokenise: using API/CSE or HPP.

API/CSE

Offload the sensitive cardholder data to Adyen. For each card or other payment detail, to be stored, Adyen passes back a unique ID, called a token. Following this, the level of PCI compliance you need to meet reduces. For non-card payment methods, by tokenising the payment details of shoppers, you do not need to request this information anymore while processing recurring payments. A recurring contract is a set of one or more recurring payment details linked to a unique shopper on your merchant account. The contract is identified using the shopperReference  and  merchantAccount  fields specified as a part of the payment request (Direct API). The recurring details have a unique 16-digit reference number. A recurring detail reference number can be used in place of the actual details to submit a payment to the system. There are two methods to create recurring details for a shopper. The first method is to allow Adyen to store the payment details while submitting a payment or to submit the payment details without submitting a payment (tokenisation).

In the case of credit card details, when you transfer the original card data from your database to Adyen's servers the scope of your PCI compliance reduces. It is important to know that full validation of the credit card does not occur when storing tokens since payment is not yet taking place. For example, if the shopper provides an expired credit card, it is stored and not rejected by the system.

Supported payment methods

The API supports tokenisation of the following payment methods:

  • Credit cards
  • Bank accounts
  • Alipay
  • Qiwi wallet

HPP

A Hosted Payment Page (HPP) for tokenisation provides a flexible, secure and easy way to allow shoppers to store their payment details for certain payment methods. You can redirect his shoppers from his main website to HPP, where shoppers can enter and store their payment details.  You can use Adyen's skin technology to customize the look and feel of HPP for tokenisation (you require a dedicated skin is for tokenising using HPP). This skin must have no additional setup such as transaction minimum/maximum limits and should be used for storing tokens. You can find more information about setting up skins in our Skin Manual. Create a session for the shopper, as a standard HTML form, with data that HPP requires. To avoid the possibility of a shopper tampering with session data, it is cryptographically signed using a shared secret.

Example of HTML form containing the fields that have to be passed to HPP
<input type="hidden" name="merchantReference" value="testOrder1274084412240" /> 
<input type="hidden" name="skinCode" value="6fC6PeJz" /> 
<input type="hidden" name="merchantAccount" value="TestMerchant" /> 
<input type="hidden" name="shopperReference" value="1274084412240" /> 
<input type="hidden" name="shopperEmail" value="some@one.com" /> 
<input type="hidden" name="recurringContract" value="RECURRING" /> 
<input type="hidden" name="merchantSig" value="f4jmkVP6xiYV/hifjb1u4DoAIfM=" />  

Remove paymentAmount and currencyCode .when calculating the value of the merchantSig field. shopperReference, shopperEmail and recurringContract are mandatory when using tokenisation payment pages.

Use tokenselect.shtml and tokenonepage.shtml to access the multi-page and the one-page interfaces for tokenisation, instead of using select.shtml or pay.shtml at the end of the URL - (used for normal HPP payments). As the shopper redirects to the HPP, they can choose the payment method for which his payment details are stored in a token.

On completion of the tokenisation, the shopper is redirected to a result URL. The difference between the fields that are passed as part of that redirection and the HPP response for payment completion are two-fold:

  1. The pspReference field contains the recurringDetailReference value. This is a 16-digit number that uniquely identifies the stored details.
  2. The authResult field contains the word TOKENSTORED if the payment details are successfully stored, otherwise an ERROR.

HPP Fields

Name Type Required Description
merchantAccount
String (tick)
The merchant account identifier you want to process the (transaction) request with.
merchantReference
String (tick)

This is your reference for this payment, it is used in all communication to you regarding the status of the payment. We recommend using a unique value per payment, but this is not a requirement.

shopperEmail
String (tick)
The shopper's email address.
shopperReference
String (tick)
The shopper's reference for the payment transaction.
recurringContract
Class (tick)

The type of recurring contract to be used.

Fixed value: RECURRING

skinCode
String (tick)

The code of the skin to be used for storing payment details via HPP.

merchantSig
    The signature in Base64 encoded format. The signature is generated by concatenating the values of the fields listed above.