Presentation of the service
Payment by token file exchange
The payment by token file exchange service allows merchant websites to carry out debit transactions with the bank cards of their subscribing customers.
The service makes it possible to carry out these operations in the form of “batch processing”: the merchant site sends a series of orders to the payment gateway in the form of files.
The files are submitted by the merchant website to the server with files provided by the payment gateway.
The payment gateway processes these orders and, in turn, generates response files.
The merchant website then retrieves the response files and analyzes the contents to update its information system.
This service uses the service of payments by token management described below.
Under PSD2, each transaction initiated by the merchant without the presence of the buyer (MIT) must be associated with an initial CIT transaction during which the cardholder authenticated themselves.
This “chaining” principle is made possible thanks to a reference generated by the issuer, after authentication, and then transmitted in the authorization request of an MIT operation.
The payment gateway uses this reference for each MIT transaction requested by the merchant via the file exchange service.
Without this reference, the issuer can reject the transaction due to lack of authentication (soft decline).
Before requesting the creation of a transaction via the file exchange service, you must make sure that the token to be debited has been authenticated by the holder.
The use of the createTokenFromTransaction REST service or the “Create token from transaction” function of the Merchant Back Office is therefore no longer compliant.
Management of payments by token
The payment by token management service allows merchants to offer their buyer the possibility to associate a token with a payment method, which will facilitate their subsequent payments on the website (no more need to re-enter the credit card number or the IBAN).
Tokens allow you to:
- Make fast and secure payments.
The buyer no longer has to fill in bank details when making subsequent payments (1-click payment).
The gateway stores the bank details in a highly secure environment, in accordance with the PCI-DSS requirements. Only the token is transferred during the exchange.
- Make recurring payments (subscriptions).
- Identify cards that are due to expire, in order to notify the Merchant via a file containing the token of the expiring card.
- Update the bank details associated with a token via the payment page, or manually via the Merchant Back Office.
- Automatically detect if the payment method has expired and offer an update in case of payment by token.
- When creating a token, detect if the payment method has been previously registered.
- Manage other buyer detail updates.
In compliance with the banking data security and protection rules implemented by PCI DSS, the payment method details are destroyed after the associated token has not been used for 15 months.
The token will remain visible in the Merchant Back Office and can be updated with new details.