Toucan by Pagos allows you to either replace or augment your current vaulting strategy to begin using network tokens in the place of primary account numbers (PAN). With Toucan, we make it easy for you to access network services directly with your own dedicated account, and control how and where you deploy network tokenization.

This guide outlines the Toucan process to make network tokenization more accessible:

  1. Authenticating with Toucan

  2. Set up webhooks to receive updates.

  3. Provisioning a token from a primary account number (PAN)

  4. Obtaining a cryptogram for transacting with the network token

  5. Suspending an active token

  6. Resuming a suspended token

  7. Getting the status of a token

  8. Requesting account data for the card underlying an existing network token

  9. Requesting updated card art for the card underlying an existing network token

  10. Deleting an existing token

Check out our Toucan Testing guide to get access to the Toucan Sandbox.

Authenticating

To ensure only authorized entities access our services, we authenticate the identity of each client that submits requests to Toucan services. Learn more in our Toucan Authentication guide.

Set Up Webhooks

Webhooks are automated notifications that push information to your designated destination when important events occur. To set up webhooks, contact your Pagos account manager and provide a webhook endpoint URL.

Toucan sends webhooks for the following events types:

  • networkTokenStatusUpdated - The status of a network token has changed. This webhook will contain:

    • Details about the token, including the token Ref ID, card brand, status (e.g. inactive, active, suspended, or deleted), and expiration date of the token (when the status is active). Keep in mind, this expiration date is the expiration date of the token, not the underlying PAN

    • The date in UTC when the event was created, written in UNIX Epoch Timestamp format

    • The reason for the event, provided the associated card brand included this detail

{
    "token_ref_id": "visa-cb9b0e653e5809db32caacc0205210ad",
    "card_network_name": "visa",
    "event_type": "networkTokenStatusUpdated",
    "date": 1661807833,
    "merchant_id": "c9a303b8-e812-4516-a0d2-cd90e56742b2"
    "status": "active",
    "expiration_date": {
      "year": "2023",
      "month": "12"
    },
    "reason": "",
    "metadata": "e2318ac9-56d2-4835-9b7a-d72369cc0e1b"
}
  • networkTokenCardUpdated - A network token has a lifecycle management (LCM) update, meaning the issuer updated details of the underlying PAN (e.g. last four digits, expiry date). This webhook will contain the token ID and card brand; you can then request the status of the impacted network token to get the full updated details.
{
    "token_ref_id": "visa-cb9b0e653e5809db32caacc0205210ad",
    "card_network_name": "visa",
    "event_type": "networkTokenCardUpdated",
    "date": 1661807833,
    "merchant_id": "c9a303b8-e812-4516-a0d2-cd90e56742b2"
    "metadata": "e2318ac9-56d2-4835-9b7a-d72369cc0e1b"
}

Provisioning a Network Token

“Provisioning a network token” refers to the step you take to convert a PAN into a network token. This is the critical step that signals to an issuer that your company is establishing a relationship with a cardholder that will persist over time. Every time you use the network token for a transaction, that context is accessible to the issuer.

Using our Toucan test values, you can test provisioning a network token on POST: /tokenize

Keep in Mind:

  • While we only require the card PAN (accountNumber) and expiration date (expirationDate) to provision a network token, we recommend also providing the card’s CVV2 value if possible, as this gives the issuer more context when authorizing the token’s creation.

  • If your tokenization request includes your own metadata value for a PAN, that same value will be returned in the response for all API calls associated with that PAN’s token.

  • The expirationDate object returned from the /tokenize response is the expiration date of the token, not the underlying PAN

Transacting With a Network Token

Before you can process a transaction with a network token, you must first fetch a cryptogram for that token. A cryptogram is an issuer-generated value for the transaction you’re processing, and is a key mechanism to the additional trust issuing banks give network tokens.

Using our Toucan test values, you can test this using the API on POST: /transact

When you sell recurring subscriptions, you aren’t required to fetch a cryptogram at this time—you can use the details of the token and the expiration date.

Suspending a Token

Token suspension is only available for Visa and American Express cards.

You can suspend an active token at any time, effectively blocking your customer’s ability to initiate transactions with you. Suspending a token is useful when you suspect fraudulent activity.

You can test the /suspend command in Sandbox using our Toucan test values, but note that the status will not persist for the given token.

Resuming a Suspended Token

Resuming of a suspended token is only available for Visa and American Express cards.

You can resume a suspended token using /resume. This returns the token from a status of Suspended to Active.

Note that because the status doesn’t persist after you suspend a token in the Toucan Sandbox, you won’t have any suspended tokens to resume. That being said, you can still test the call using our test values, and the response will always return a status of active.

Getting the Status of a Network Token

Once you’ve provisioned a network token there will be instances when you will want to check the token status and basic token information, such as network, last 4 digits of the token, or expiration date of the token.

There are three possible statuses that a network token can be in:

  1. Active - the token is active and can be used to transact with

  2. Suspended - the token is temporarily suspended by the merchant

  3. Deleted - the token has been deleted by the merchant

Using our Toucan test values, you can test this using the API on GET: /status

Requesting Account Data

You can request account data for the card underlying an existing network token at any time. The response will include information you can share with the customer to help them identify the exact card saved on file and tokenized with your business (e.g. last four digits of the PAN, expiry date of the PAN, etc.). The response can include an assets array, indicating the card has card art you can request the file for.

Using our Toucan test values, you can test this using the API on GET: /account

Requesting Card Art

Card art is only avilable for Visa and Mastercard.

If the assets section of the /account response is populated, you can make a request for those assets from the /assets endpoint. For Visa cards, the response will be for the actual image data, presented as a base64 encoded string; for Mastercard cards, it will be a URL to the card image file.

Using our Toucan test values, you can test this using the API on GET: /asset

Deleting a Token

All four networks (Visa, Mastercard, Discover, and American Express) support token deletion.

You can test deleting a token permanently with /delete using our Toucan test values. Once you delete a token, you cannot resume it. To temporarily suspend a token, use [/suspend].