Token Formats
Worldpay supports both High-Value and Low-Value tokens, designed to address specific payment processing operations. Both token types replace sensitive data, though the generated token values differ based on specific domain and transaction controls.
We generate High-Value tokens statically, replacing PANs with a consistent surrogate value each time you present the same PAN for tokenization. PCI DSS Tokenization Guidelines 2.0 (2011) defines a High-Value as a token usable as a payment instrument to perform a payment transaction. Worldpay OmniToken is an example of a High-Value token. The generation of a Worldpay OmniToken is card-based, embodying a one-to-one correlation with the PAN it replaces, and does not expire unless the PAN is no longer valid with the card issuer.
PAN to OmniToken pairing is unique to a given organization, and is channel and platform agnostic. This means the same token value persists across the entire merchant payment processing environment, but does not persist across different merchant organizations. For example, Table 1-10 shows the same PAN submitted for three different transactions. The first two transactions involve the same merchant with one transaction from a Point of Sale terminal and one Online. Since these transactions use the same PAN and come from the same merchant, they use a common Worldpay OmniToken. The third transaction, from a different merchant results in the generation of a different OmniToken even though it is the same PAN.
TABLE 1-10 OmniToken Generation for Common PAN Across different Channels and Merchants
|
Merchant |
PAN |
Worldpay OmniToken |
|---|---|---|
|
Merchant A - POS |
4418 3789 1620 3675 |
4418 3711 2222 3675 |
|
Merchant A - Online |
4418 3789 1620 3675 |
4418 3711 2222 3675 |
|
Merchant B - Online |
4418 3789 1620 3675 |
4418 3724 9587 3675 |
The OmniToken shown in the example above make use of the Informative token format, which preserves the first-6 and last-4 digits.
Generated dynamically, Low-Value tokens have a unique value for each transaction, even if you submit the same PAN for tokenization multiple times. Low-value tokens utilize additional compensating controls, such that the token applies only to specific transactions and processing environments. The Worldpay eProtect RegistrationID is an example of a Low-Value token used for initial data capture of payment card data in ecommerce and mobile environments. Worldpay eProtect RegistrationID is a transaction-based token value requested through a low-trust environment over the Internet. The token value is valid only for 24-hours, after which you can no longer use it for payment processing.
There are various attributes, including the length, format and character set, that define the structure of the card numbers and the tokens that replaces them. For example, all PAN values regardless of length, conform to the Luhn MOD10 algorithm. Worldpay supports several token format options to meet your implementation needs. These token formats, while always using the same character set as PANs, range from a completely random, fixed-length number to a format preserving token that reuses the first-6 and last-four digits of the PAN. In addition, with the exception of the legacy eComm token version, each token format is available in either a MOD10 or a MOD10+1 format. The MOD10+1 format allows you to more easily distinguish a real PAN from a token.
The Worldpay eComm Legacy token is only available in a MOD10+1 conforming format.
The table below provides information about the various OmniToken formats available for credit cards. Since you cannot intermix token formats within a Token Group and your entire organization may be a single Token Group, you should carefully select the format that best meets your needs. When selecting a format, you should consider if you need access to the IIN (Issuer Identification Number; formerly known as BIN), as well as whether you need the last-four digits of the PAN.
TABLE 1-11 High-Value Credit Card Tokens
|
Name
|
Format-Preserved Digits |
MOD10 Option
|
||
|---|---|---|---|---|
|
First-Six (IIN) |
Middle |
Last Four |
||
|
Informative A1 |
6 |
Random |
4 |
MOD10+1 |
|
Informative A |
6 |
Random |
4 |
MOD10 |
|
Last 4 Preserved 1 |
Random |
Random |
4 |
MOD10+1 |
|
Last 4 Preserved |
Random |
Random |
4 |
MOD10 |
|
Complete Random 1 |
Random |
Random |
Random |
MOD10+1 |
|
Complete Random |
Random |
Random |
Random |
MOD10 |
|
Minimum 16A 1 |
6 |
Random |
4 |
MOD10+1 |
|
Minimum 16A |
6 |
Random |
4 |
MOD10 |
|
Existing Worldpay eComm Merchants 1 |
Random* |
Random |
4 |
MOD10+1 |
* First-six returned in the <bin> element of the response message
TABLE 1-12 Low-Value Tokens
|
Format Code |
Name |
Format-Preserved Digits |
MOD10 Option |
|---|---|---|---|
|
N/A |
RegistrationID |
None |
MOD10+1 |
|
N/A |
Checkout Id |
None |
MOD10+1 |