Tokenisation is the practice of encrypting a card number and returning a token representing the payment card to the merchant. The token can be used to process the initial transaction as well as any subsequent recurring or stored-card payments. The partially masked card number and expiry date are returned to the merchant application alongside the token. This enables the merchant and the customer to identify a card without viewing its full number. As no raw card data is stored by the merchant application, less stringent PCI compliance requirements (SAQ-A or SAQ-A-E) are likely to apply.
Tokens can be requested as part of a payment or in a standalone API call:
1. You can request a token from APEXX in the initial payment message. This applies to both the direct (createCardTransaction) and hosted payment page (hostedPaymentPage) method. The token can then be stored instead of the raw card data. To request a token, set the card > create_token parameter in the hosted or direct payment request to TRUE.
2. You can send a createCardToken request to convert card data into a token without processing a payment at the same time. The token can then be stored by the merchant application until it is needed for a transaction.