The Network Tokenization Service enables Paysafe to request payment tokens from Visa Token Service (VTS) and Mastercard Secure Card on File (SCoF) on behalf of the Merchant. These tokens replace the primary account number (PAN) of a debit or credit card, ensuring secure transaction processing. Each network token is issued by card schemes, visually resembling a regular card PAN with the same digit count. However, these tokens add an extra layer of security. When an issuing bank changes the details and status of a card, the details and status of the corresponding token are updated in real time.

As a registered Network Token Requestor for the service, you will gain the capability to conduct customer-initiated and merchant-initiated payments, refunds, original credits, and standalone credits within Europe using network tokens. This action replaces the use of card PANs that are underlying beneath Paysafe's permanent token. This service will become available for North America in February, 2024.

You can access the service through Customer Vault API, Card API, and Payments API. Additionally, it's available through our hosted solutions: Paysafe.JS, Paysafe Checkout v1 and Paysafe Checkout v2.

Network tokens have three states: ACTIVE, SUSPENDED, and DELETED. The "status" field in the "networkToken" object indicates whether the token is ACTIVE or SUSPENDED. A DELETED token will not be returned by Customer Vault API/ Payments API on lookup.

Transactions can only be processed using active tokens. Transactions with suspended cards with network tokens will fail in our system with error 5500 but won't reach the issuing banks and affect the card acceptance rate. Suspended cards with network tokens are grayed out in Paysafe Checkout v1 and Paysafe Checkout v2. If you are integrated with Paysafe.JS or directly with our APIs, we recommend you graying out the suspended cards with network tokens on your checkout page on your behalf. At some point the suspended network tokens can be resumed to active by the customers or the issuing banks and this can be reflected on the frontend. Network tokens can be deleted by the card schemes or by the merchants/Paysafe. When a network token is deleted, the permanent token/ multi-use payment handle is deactivated on Paysafe's side, meaning that it will no longer be returned by Customer Vault API/ Payments API. If a transaction using the string of the deleted token/ payment handle (e.g. "SCdsav34r4b43bf") is attempted, an error code 5500 is returned.

If you wish to opt out of the service, you have the flexibility to do so at any time

• Extra layer of security for transactions with debit and credit cards
• Reduced costs due to fewer failed transactions
• Increase of the card acceptance rate 
• Improvement of the UX of customers with saved cards
• Minor additional integration for merchants who are processing cards with Paysafe

• Visa
• Mastercard

• Customer Vault + Cards API
• Payments API
• Paysafe.JS (powered by Customer Vault + Cards API)
• Paysafe.JS (powered by Payments API)
• Paysafe Checkout v1
• Paysafe Checkout v2

Currently not supported:

• Onboarding Solutions for Platform Partners:
  • Applications API
  • Simplified Onboarding
  • Accounts API v1 
• Regions: Only supported in Europe - all other regions not supported.

To create a test account in both the sandbox and production environments, Paysafe requires your consent to the Terms & Conditions Agreement for onboarding for the service.

Your website's or mobile app's checkout page must have the capability to support saved cards by the user.

For Network Tokenization upon saving a card or creating a profile, the Customer Vault and Payments API addresses the following requirements:

• email (optional)
• accountId (optional)
• holderName or firstName and lastName (required)

Important considerations

• When a new card is added to a new or existing profile using the Customer Vault API (or using the tokenization functionality of the Payments API), you can provide the Paysafe account id if you would like to fine-tune the account at which Network tokenization billing happens for that card/token. Otherwise, the Paysafe account id used for processing the card/token is also used for Network tokenization billing.
• Including the email in the profile/customer is recommended, but not mandatory. Inclusion of the email may increase the chances of getting a Network token for a card.
• If holderName is unavailable for the stored card, Paysafe automatically concatenates firstName and lastName from the customer's profile and sends the cardholder's name for network token creation.
• initialTransactionId is a mandatory field for processing merchant-initiated recurring authorizations with Visa network tokens. If this reference is missing, the recurring authorizations are declined.

• Authorization
• Void Authorization
• Authorization + Settlement
• Settlement
• Recurring Authorization
• Verification
• Refund
• Standalone Credit
• Original Credit

Upon successfully authorizing a payment with CARD as the payment type, you must save the used debit or credit card on file within an existing customer profile or generate a new profile in the Customer Vault. In this process, add the merchant's accountId within the card object and place the customer's email address outside the card object, as shown in the example below. By following this procedure, the Network Tokenization Service will be activated, prompting the respective card network to generate a network token for the provided card.

Paysafe will gradually backfill previously saved cards on file. For the purpose, please update the customer's profile with the customer's email address in case the email address hasn't been previously saved in Customer Vault. Paysafe automatically sends a default email address for network token creation, when the merchant is not keeping the customer's email on file. This way the merchant won't be required to pass neither an accountId nor an email to obtain a network token.

The generated permanent Paysafe token contains a unique network token, which is underlying beneath it along with the PAN. The permanent Paysafe token must be sent in the request body for authorization, but the transaction will be processed with the underlying network token and a single-use cryptogram, issued by the respective card scheme.

The network token is being created upon customer creation. The difference with the approach in Customer Vault is that accountId is not passed inside the card object in the request body for saving a card on file and the card object is not present at all. As the card is saved on file, a Paysafe multi-use payment handle is created.

Paysafe will gradually backfill previously saved cards on file. For this purpose, please update the customer's profile with the customer's email address in case the email address wasn't previously saved in Payments API. Paysafe automatically sends a default email address for network token creation, when the merchant is not keeping the customer's email on file. This way the merchant won't be required to pass either an accountId or an email to obtain a network token.

For merchant-initiated transactions in Payments API you can directly pass the card's multi-use payment handle. A network token lies beneath this multi-use payment handle and the transaction will be processed with it instead of the real PAN.

To create a single-use payment handle for a customer-initiated transaction with a saved card, first you have to create a Single-Use Customer Token.

Afterwards the Single-Use Payment Handle can be created for a customer-initiated transaction with a saved card in Payments API, Paysafe.JS and Paysafe Checkout v2.

The newly created Single-Use Payment Handle must be used for the authorization of the customer-initiated transaction. For more information about customer-initiated transactions with a single-use token/single-use payment handle, please visit the documentation for saved cards in Paysafe.JS and Paysafe Checkout.

For 3DS authentication, pass the network token BIN instead of the card BIN. To obtain the network token's details, look up either the customer's profile with cards, or a specific card.Network token details are also available on single-use profile token/ single-use customer token creation.

Visa automatically cleans the sandbox network tokens every hour. This action leads to the immediate deletion of Paysafe's sandbox permanent tokens. Use the following testing cards with accurate CVV and expiry date.