Tokenization
Last updated
Last updated
Tokenization significantly reduces the risk associated with handling sensitive customer card data. Instead of storing the actual card details, a unique token is generated and used for future transactions, thus enhancing the security of your payment processes. This feature is currently compatible with MasterCard, Visa, and STC Pay, with further options planned for future inclusion.
Consider tokenization as a powerful security vault where all sensitive data is replaced with a secure code, or .
Just like a vault secures precious jewels by keeping them out of sight and replacing them with a secure code, tokenization replaces sensitive card data with unique identifiers, protecting it from prying eyes. This process is paramount for securing payments, offering merchants the luxury of securely processing transactions without having to be PCI DSS compliant. For more details, please check .
With Ottu, we handle this complexity, so you don’t have to! To activate tokenization or for any inquiries, KSA merchants can reach us at .
Ottu provides two distinct methods for merchants to add a new card to a customer's profile, catering to different scenarios and requirements. These methods are:
Adding a New Card Without Payment: This approach is designed for situations where you want to store a customer's card details for future transactions without charging them at the moment of addition. It's especially useful for streamlining the checkout process for repeat customers, enhancing the user experience by removing the need to enter card details for every purchase. Please check for mroe details.
Adding a New Card With Payment: Conversely, this method allows merchants to add a customer's card details to their profile while simultaneously processing a payment. This is suitable for instances where immediate payment is required, but the customer also prefers to save their card details for future convenience. Please check for more information.
It offers a streamlined way for merchants to securely add a new card to a specific customer's profile without conducting an actual payment transaction. This capability is particularly useful for creating a more efficient and user-friendly payment process, allowing for the future use of saved card details without requiring customers to re-enter their information for every transaction.
To successfully tokenize a card, merchants must adhere to the following requirements when sending a request to the Ottu Checkout API
:
Payment Type: The parameter in the request payload must be set to save_card
. This indicates that the transaction is for the purpose of saving the card information.
Amount: The should be explicitly set to 0
. Setting amount
to any other value will lead to an API error, as the intention is to tokenize the card, not process a payment.
Customer ID: Merchants must provide the parameter.
Webhook URL: should be provided, where the generated will be saved.
Tokenization involves a series of steps designed to securely capture and convert card details into a token
. Here is a detailed overview of the process:
Request Submission:
Payment URL Generation:
User Payment Process:
Merchant has the two options:
On the Save Card page, the customer enters his card information and completes the process by clicking the Save button.
Tokenization:
Upon the successful completion of the card information submission, Ottu proceeds to tokenize the card details.
This tokenization process ensures that merchants can securely store card details for future transactions without handling sensitive card information directly, thereby enhancing the overall security and efficiency of the payment process.
Getting started with simplifying your checkout process through tokenization is straightforward with Ottu. Here's a detailed guide to help you begin:
Request Payload Example:
On the Save Card page, the customer enters his card details and proceeds to save them.
It empowers merchants a seamless way not only to process transactions but also to securely save customer card details for future use.
This method is especially valuable for encouraging repeat business, as it simplifies future transactions by eliminating the need for customers to re-enter their card details.
To ensure the successful tokenization of a card, merchants are required to adhere to the following requirements:
Save Card: Ensure the Save Card option is enabled and selected by the customer during his initial payment to facilitate token creation.
Customer ID: For subsequent payments utilizing the same token, the same customer_id
associated with that token must be provided each time it is used.
Successful Payment: The customer must complete a successful payment.
This guide outlines the steps for initiating payment sessions and securely saving customer card details, focusing on efficiency and security.
Enable the Save Card Option:
CVV Requirements: The necessity for Card Verification Value (CVV) may differ based on the Payment Gateway configuration. Adjustments can be made by reaching out to technical support.
Save the Card: When customer elects to save his card details, the information is tokenized and securely stored upon payment completed successfuly, enabling easier transactions in the future.
Utilize Saved Cards:
In future transactions with the same customer_id
, the system automatically showcases all associated cards, simplifying payment method selection. Security is prioritized by displaying only the last four card digits, with CVV requirements determined by the acquiring bank's policies.
Navigate Payment Challenges:
The Checkout SDK
is adept at handling various payment processing challenges, such as 3D Secure and One-Time Password (OTP) verifications, ensuring a smooth transaction experience for merchants and customers alike.
By adhering to these streamlined steps, merchants are equipped to offer a superior and secure payment experience, fostering customer loyalty and encouraging repeat business through the ease of saved payment details.
Simplifying your checkout process with tokenization is easy with Ottu. Here’s a step-by-step guide on how to get started:
To save a card, the customer selects the desired payment method for both the current purchase and future transactions. The customer will then be redirected to the Payment page, where he must enter his card details and opt to Save Card. Upon completing a successful payment, the card details will be stored, and a token will be linked to the customer_id."
By following these steps, you can easily streamline your payment process, ensuring that customers have a seamless checkout experience. As mentioned, we’ll be providing visual aids between each step to further guide you in implementing this feature. Remember, at Ottu, we are always here to assist you in navigating the complexities of online transactions, so don’t hesitate to reach out if you need any help.
Once you receive the tokenized card information in the webhook payload, you can use this token to process future transactions without needing to store sensitive card details. To do this, store the token securely in your system and reference it in subsequent payment requests as the payment method. This approach not only simplifies transaction processing but also enhances security by minimizing the exposure of sensitive card information.
Absolutely. Tokenization replaces sensitive card details with a unique token, reducing the risk of card information exposure and enhancing payment security.
Yes, one of the major benefits of tokenization is that it allows you to securely process transactions without needing to be PCI DSS compliant. Ottu handles the complexities of compliance for you.
You can add a new card using two methods:
Yes, storing tokenized card details is safe and compliant without PCI DSS compliance. Tokens are secure substitutes for sensitive card information, specifically designed to reduce security risks. When Ottu tokenizes a card, it replaces the card's Primary Account Number (PAN) with a unique identifier or token. This token can be safely stored in your database because it cannot be used outside of the secure payment environment set up by Ottu.
Token: A unique identifier for the card.
Brand: The card brand (e.g., Visa, MasterCard).
Expiry Year: The year the card expires.
Name on Card: The name of the cardholder as it appears on the card.
PG Code: Payment Gateway code indicating the processing network.
When a tokenized card expires, transactions using that token will not be processed. Merchants can set up notifications for upcoming card expirations to prompt customers to update their card details, ensuring uninterrupted service
In addition, for the tokenization process to be initiated correctly, all other required parameters for the Ottu must be provided, including currency_code
, type
, and pg_codes
.
Merchant initiates the tokenization process by sending a request to the Ottu Checkout API
. This request must specify the customer_id,
payment_type
as save_card
, amount
as 0
, and any other required parameters. Please refer to the section for detailed information on the required Checkout API
parameters.
Upon receiving the tokenization request, Ottu generates a .
Redirect to the Checkout Page: Using the to redirect the customer to the page. There, the customer can be redirected to the page by clicking the Pay button, even though no actual payment is processed at this step.
Redirect to the Save Card Page: If a is provided, the customer can be directly redirected to the page.
The tokenized card details are then securely transmitted back to the merchant's system as part of the sent by Ottu. Merchants can locate the tokenized card information in the field of the webhook payload.
Create a payment link through the , ensuring to include the parameter. Additionally, verify that the you are using supports tokenization.
Share the generated with the customer. The customer can then click on the Pay button to proceed to the page.
After successfully submitting card information, Ottu tokenizes the details and securely sends them to the merchant via a , where the tokenized information is found in the field.
By leveraging the , a is created, associated with a and Merchant Identification Number that supports tokenization, thus enhancing the customer experience by providing an option to details during the payment process. This can be further streamlined by using the . It's important to note that the Card Verification Value (CVV) may be required, depending on your Payment Gateway's configuration; this setting can be adjusted by contacting our technical support team.
Payment Link: Generate a by utilizing the , ensuring all necessary parameters for the Checkout API
are included, along with the parameter.
Payment Gateway: Use a that supports tokenization.
Initiate the Payment Session: Begin by initiating a payment session through the , generating a session identified by and associated with . Ensure this session connects to a Merchant Identification Number ( that supports tokenization, allowing for the secure storage of customer card information for later use.
Utilize the or manage payments via the to enable a Save Card option, offering customers the ability to securely store their payment card information for future transactions. Key Notes:
Choosing Between Checkout SDK and API: The Checkout SDK
is preferred for its user-friendly UI implementation and essential support for specific payment methods like and . Your choice should align with your specific operational needs.
The first step involves creating a payment link via the . Make sure to include the parameter, and the you’re using is enabled for tokenization. Request Example:
After generaing the , the merchant should shareit with the customer, who then accesses the Checkout page via this link. Here, the displays all available payment methods, such as [mpgs
, credit-card
, stc-pay
].
For subsequent transactions, repeat the same API call as in using the same and . When reaching the Checkout page again, the previously saved card will be available as a new payment method. The customer can simply click on it to process the payment immediately.
Tokenization is supported by specific payment gateways. If your current gateway doesn't support it, please reach out to our support team at for the latest information and possible alternatives.
Customers can request the removal of their saved cards at any point. For detailed steps on managing this process, please refer to the and sections of our documentation.
Yes, tokenization is an ideal feature for setting up recurring payments. Please refer to our documentation section for more details.
Without Making a Payment: Add a customer's card details directly without the need to process a payment. For more details, please click .
During a Payment Transaction: Save the customer's card details while processing an actual payment. For further information, please click .
Absolutely. With Ottu, you don’t have to worry about PCI DSS compliance. Our platform securely handles all the sensitive data and never exposes this information to the merchant. This means you can safely implement the feature.
This process significantly minimizes the risk of data breaches because the tokens themselves are not valuable to attackers without access to the decryption mechanism, which is securely managed by Ottu. Additionally, since these tokens do not carry the card's actual details, they fall outside the scope of PCI DSS requirements for data protection, making it easier for merchants to securely process payments while adhering to compliance standards. Please, check out this for a deeper dive.
The optimal time to save the card token in your database is immediately after the first payment against the subscription that you plan to . While it’s not strictly necessary—you can always fetch this information through the API and Payment Methods APIs—it does streamline your processes and reduce development complexity.
No, it’s not mandatory to use the . You can control the payment process using the responses from the . However, it’s worth noting that the Checkout SDK
simplifies the UI implementation and is necessary for certain payment methods such as Apple Pay
, Google Pay
, STC Pay
, and others. While it’s recommended to use the Checkout SDK
for its simplicity and comprehensive features, the choice ultimately lies in your hands based on your specific needs.
Yes, you can retrieve a list of a customer's saved cards utilizing the . This powerful API provides merchants secure access to essential saved card information,such as:
For comprehensive instructions on how to implement this API, including request and response parameters, please consult our detailed documentation .