> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/merchant-tokenization/visa-ctf-and-daf/overview.md).

# Overview

Visa Cloud Token Framework (CTF) adds an authentication layer on top of **Network** **Tokenization** for e-commerce transactions.

It authenticates the **end user** on the device. Visa verifies the proof of authentication. Visa then forwards indicators to the **issuer** in the authorization request.

Visa Digital Authentication Framework (DAF) is Visa's framework that uses these signals. It helps improve approval rates and reduce fraud in tokenized CNP flows.

## How it works

CTF relies on a device-generated RSA key pair.

1. The merchant/PSP integrates Thales SDK in the merchant application.
2. The SDK generates an RSA key pair on the device.
3. The private key stays on the device. The public key is registered with **VTS**.
4. A device binding links the device to the token on the server side.
5. During a transaction, the end user authenticates on the device (for example, biometrics).
6. The device uses the private key to sign a Visa-defined payload.
7. The signed payload is exchanged with VTS to obtain a transaction cryptogram.

{% hint style="info" %}
Browsers are not supported. CTF requires device key storage and device authentication.
{% endhint %}

## End-user experience

Device binding runs once per device and token. It runs before the first authenticated transaction.

### Prerequisites

1. The card is already tokenized.
2. The end user has configured a device unlock method (for example, biometrics).

<figure><img src="/files/gcIMT8suSFyxMWCbZtiD" alt=""><figcaption><p>First-time device binding to link the device and the token.</p></figcaption></figure>

After binding, the end user authenticates on the device during each transaction.

{% hint style="warning" %}
The CTF private key is protected by the device unlock mechanism.

Device unlock authentication (Android/iOS) is separate from any authentication implemented in the merchant application.
{% endhint %}

### Assets and parameters

CTF introduces a few Visa-specific identifiers and device assets.

#### `deviceId`

24-character identifier for the device being bound to a token.

Thales SDK generates and manages it.

#### `vProvisionedTokenId`

Visa-specific identifier for a cloud token.

Do not confuse it with `tokenId`. Both identify the same token. Only `vProvisionedTokenId` is accepted by CTF flows.

Thales backend returns `vProvisionedTokenId` in:

* Create token response
* Notify token creation request
* Get token response

#### CTF RSA key pair

Generated once and stored on the device.

* The public key is registered with VTS.
* The private key signs Visa-defined payloads during binding and transactions.

Thales SDK manages key generation and storage.

#### OTP

During device binding, the issuer can require **step-up authentication**.

When the selected method is One-time Password (OTP), your merchant application collects the OTP and passes it to Thales SDK.

#### Binding state

A binding represents a link between a device and a token.

* A binding state is `ACTIVE` or `DELETED`.
* Multiple tokens can be bound to the same device.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.payments.thalescloud.io/merchant-tokenization/visa-ctf-and-daf/overview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.