Tokenization decision

In a card digitization request, the issuer backend receives several data elements to review before returning a levelOfTrust decision.

Review these inputs:

Card details
Scoring information (scoringInformation)
Device information (deviceInformation)
Token requestor information (for example, xPay Wallets)

The issuer sets levelOfTrust for each request.

Decide the level of trust

requestCardDigitization is the most sensitive issuer decision point. It is where you apply your risk logic to detect fraudulent requests.

The API can include several trust signals to support this decision. Most signals depend on the card product and what the token requestor can provide. Some signals may be missing.

Use the guidance below as a baseline. Adapt it to your risk policy.

If the card product supports a CSC, start with these parameters:

cvvValidated
cardCaptureInformation.captureMethod
authenticationValue

Suggested logic (pseudo-code):

if (cvvValidated) {
  // CSC validated.
  setGreenFlag();
} else if (authenticationValue is available) {
  // If you can validate CSC via authenticationValue, treat as trusted.
  if (CSC_OK) setGreenFlag();
} else if (cardCaptureInformation.captureMethod == BANK_APP
        || cardCaptureInformation.captureMethod == ON_FILE) {
  // Card captured in the issuer application or from Card-on-file (COF).
  setGreenFlag();
} else if (cardCaptureInformation.captureMethod == CAMERA
        || cardCaptureInformation.captureMethod == MANUAL
        || cardCaptureInformation.captureMethod == UNKNOWN
        || cardCaptureInformation.captureMethod is not available) {
  // Missing or weak capture method is suspicious.
  setRedFlag();
}

As a secondary check, evaluate these objects if present:

Token requestor information (for example, token requestor ID and wallet provider ID). See Wallet provider ID mapping.
Card capture information (cardCaptureInformation)
Scoring information (scoringInformation). See Scoring information.
Device information (deviceInformation). See Device information.

Field availability depends on the token requestor.

The TSP and Thales TIG typically forward these fields as provided.

PreviousOnboarding NextScoring information

Last updated 4 months ago

Was this helpful?