Toucan by Pagos allows you to either replace or augment your current vaulting strategy to begin using network tokens in the place of primary account numbers (PAN). With Toucan, we make it easy for you to access network services directly with your own dedicated account, and control how and where you deploy network tokenization.
This guide outlines the Toucan process to make network tokenization more accessible:
- Authenticating with Toucan
- Set up webhooks to receive updates.
- Provisioning a token from a primary account number (PAN)
- Obtaining a cryptogram for transacting with the network token
- Suspending an active token
- Resuming a suspended token
- Getting the status of a token
- Requesting account data for the card underlying an existing network token
- Requesting updated card art for the card underlying an existing network token
- Deleting an existing token
To ensure only authorized entities access our services, we authenticate the identity of each client that submits requests to Toucan services. Learn more in our Toucan Authentication guide.
Webhooks are automated notifications that push information to your designated destination when important events occur. To set up webhooks, contact your Pagos account manager and provide a webhook endpoint URL.
Toucan sends webhooks for the following events types:
- networkTokenStatusUpdated - The status of a network token's underlying PAN has changed. This webhook will contain details about the underlying PAN, including the token ID, card brand, status, and expiration date.
- networkTokenCardUpdated - A network token has a lifecycle management (LCM) update, meaning the issuer updated details of the underlying PAN (e.g. last four digits, expiry date). This webhook will contain the token ID and card brand; you can then request the status of the impacted network token to get the full updated details.
“Provisioning a network token” refers to the step you take to convert a PAN into a network token. This is the critical step that signals to an issuer that your company is establishing a relationship with a cardholder that will persist over time. Every time you use the network token for a transaction, that context is accessible to the issuer.
Keep in Mind
While we only require the card PAN (
accountNumber) and expiration date (
expirationDate) to provision a network token, we recommend also providing the card's CVV2 value if possible, as this gives the issuer more context when authorizing the token's creation.
If your tokenization request includes your own
metadatavalue for a PAN, that same value will be returned in the response for all API calls associated with that PAN's token.
Before you can process a transaction with a network token, you must first fetch a cryptogram for that token. A cryptogram is an issuer-generated value for the transaction you’re processing, and is a key mechanism to the additional trust issuing banks give network tokens.
Keep in Mind
When you sell recurring subscriptions, you aren’t required to fetch a cryptogram at this time—you can use the details of the token and the expiration date.
You can suspend an active token at any time, effectively blocking your customer’s ability to initiate transactions with you. Suspending a token is useful when you suspect fraudulent activity.
You can resume a suspended token using /resume. This returns the token from a status of Suspended to Active.
Note that because the status doesn’t persist after you suspend a token in the Toucan Sandbox, you won't have any
suspended tokens to resume. That being said, you can still test the call using our test values, and the response will always return a status of
Once you've provisioned a network token there will be instances when you will want to check the token status and basic token information, such as network, last 4 digits of the PAN, or expiration date for the underlying PAN.
There are three possible statuses that a network token can be in:
- Active - the token is active and can be used to transact with
- Suspended - the token is temporarily suspended by the merchant
- Deleted - the token has been deleted by the merchant
You can request account data for the card underlying an existing network token at any time. The response will include information you can share with the customer to help them identify the exact card saved on file and tokenized with your business (e.g. last four digits, expiry date, etc.). The response can include an
assets array, indicating the card has card art you can request the file for.
assets section of the /account response is populated, you can make a request for those assets from the /assets endpoint. The response will be the actual image data, presented as a base64 encoded string.