Payments with Network Tokens

info

This feature is not available for all accounts by default. Reach out to your Hellgate® support representative to learn more about network tokens and how to make use of them.

What are Network Tokens?

Network tokens serve as symbolic replacements for payment credentials. They replace PAN (Primary Account Numbers) and other sensitive card data with a unique string (non-sensitive data) in all parts of the payment flows. They are used to authenticating transactions and are unique to the card, the merchant and the transaction.

Network Tokens are generated by card schemes like Visa or Mastercard in real-time as customers use their cards. In this way, security is enhanced by preventing the exposure of cardholder information to third parties.

Hellgate® provides merchants with a cohesive strategy for network tokenization, simplifying the process of token creation, utilization, and management.

With network tokenization, merchants have several advantages:

Reduced fraud rates
Increased authorization rates
Lower interchange fees
Tokens can be used for multiple PSPs

Hellgate® tokens and Network tokens

Hellgate® tokens can be enriched with networks tokens from the card schemes. Once a card payment method undergoes tokenization, and if the network tokens feature is enabled for your account, Hellgate® will request a network token from the card scheme and associate it with the token. If this operation is successful, the network token status is updated to active.

To use the network tokens for payment authorization, a cryptogram must first be requested. This is created and used during the payment request as proof of token validation for card transactions requiring authorization. They help to authenticate the transaction and ensure its integrity.

The sequence diagram below demonstrates how the process works to use network tokens and request a cryptogram.

Hellgate Token Use-Case

Credentials on File Payment

Exemplary Use

Step 1: Request a cryptogram

Hellgate® allows you to create these cryptograms using a previously imported token.

curl
--request POST
--url https://api.hellgate.io/tokens/{id}/payment-data
--header 'content-type: application/json'
--data '
{
"amount": 10000,
"currency_code": "EUR",
"merchant_id": "afb55b3a-9997-4ddf-8026-a178fd8573cc",
"reference": "1234567890"
}

Step 2: Decrypt the authentication data

Hellgate® processes the request and returns the encrypted authentication data. This encrypted authentication data contains the network token and the cryptogram. For more information, please refer to our API documentation.

The network token is used to authenticate the transaction, and the cryptogram is used to validate the network token.

To decrypt the payload, follow these steps:

Use the encryption_key that was generated when the merchant was created
Use the encrypted_authentication_data string, which you receive as part of requesting a cryptogram response

Below is an example of how to perform decryption in Elixir. However, this can also be accomplished using your preferred programming language.

merchant_key = "e4xeJFoL+8kQWrSwCyJLnC56WkGz8aGIE8uEoQJGYDs"
encrypted_authentication_data= "eyJhbGciOiJBMjU2R0NNS1ciLCJlbmMiOiJBMjU2R0NNIiwiaXYiOiJpR2ZsaXRMajJxLXpaMkdHIiwidGFnIjoia1c2bWRTQkJJcHBLMWwzQW93ZFBFUSJ9.ICv_3s0ux8D1Db2YTzfQ-AvW_zXBSeWiE9vnzeYwW0I.ybwd1PzSn05XvQPP.DUJIBkgWN4xp1UsQNqbeSVBckZwG4fNL6ykn35JcITGqe0VR9ibzfph7yHn4cufxPVTogTq72Y1fPNGhCMdWrutWYRsGiSL5mdXEwzQ_s22eaikP0fzD_RI7dK5D7qxNrYa8YUy1eCLJjpSE0zgnV-o000lSjnjEo5PE9FpnGRdb4FYLLA7L9GY.HX41GbBtkPO7z6Age09H-Q"
JOSE.JWE.block_decrypt(:sha256 |> :crypto.hash(merchant_key) |> JOSE.JWK.from_oct(), encrypted_authentication_data) |> elem(0) |> Jason.decode!

The decrypted payload will be in JSON format and will appear as follows:

{
  "cryptogram" => "AwAAAAkA+1rBeAMAnkbHgpAAAAA=",
  "eci" => "07",
  "network_token" => %{
    "expiry_month" => 3,
    "expiry_year" => 2030,
    "token" => "4895370017908176"
  }
}

Step 3: Send Payment Authorization (network token and cryptogram) to the PSP

Adyen v69

curl 'https://api.hellgate.io/forward' \
-X 'POST' \
-H 'Content-Type: application/json' \
-H 'X-API-KEY: <HELLGATE-API-KEY>' \
-H 'X-HELLGATE-TOKEN: d7d272f7-f0e8-44c6-9459-c60e1ef279d5' \
-H 'X-DESTINATION-URL: https://checkout-test.adyen.com/v69/payments' \
-H 'X-API-KEY-ADYEN-NAME: X-API-KEY' \
-H 'X-API-KEY-ADYEN-VALUE <ADYEN-API-KEY>' \
--data '
{
    "merchantAccount": "<adyen_merchant_account>",
    "reference": "Payment-0001",
   "amount": {
       "currency": "EUR",
       "value": 1234
   },
   "paymentMethod": {
       "type": "networkToken",
       "brand": "visa",
       "expiryMonth": "3",
       "expiryYear": "2030",
       "number": "4895370017908176"
   },
   "mpiData":{
       "directoryResponse":"Y",
       "authenticationResponse":"Y",
       "tokenAuthenticationVerificationValue":"AwAAAAkA+1rBeAMAnkbHgpAAAAA=",
       "eci":"07"
   },
   "recurringProcessingModel":"CardOnFile",
   "shopperInteraction": "Ecommerce"
}

Supported Card Schemes

VISA
Mastercard
AMEX: American Express (available soon!)

What are Network Tokens?​

Hellgate® tokens and Network tokens​

Credentials on File Payment​

Exemplary Use​

Step 1: Request a cryptogram​

Step 2: Decrypt the authentication data​

Step 3: Send Payment Authorization (network token and cryptogram) to the PSP​

Supported Card Schemes​