This section describes the integration where merchants currently use multiple payment aggregators to process their card transactions. They also rely on an internal card vault or use an external vault service. These internal or external integrations are used to render the payment cashier pages without any reliance on only PAs
Going forward merchants can continue the above workflows using Paytm as a token gateway to connect with all three different card schemes.
Paytm as TG with multiple PAs
Tokenization request post payment completion
- User enters card details, card number, expiry and CVV and gives consent to save the card for future payments on the merchant's app/website.
- You process the transaction via payment aggregator of choice. On successful authentication, you will initiate the tokenization workflow for that particular card.
- You may call our Fetch Bin API to find out the eligibility of COF tokenization for a given card bin. Please note that Paytm TG will communicate the COFT eligibility for a given scheme offline as well.
- Your Backend will pass the Paytm MID, Customer Info, Customer Consent and the Card details: Card Number, Card Expiry and CVV to Paytm using Tokenize Card API. It is mandated by RBI that merchants should call Tokenize Card API post successful 2FA (OTP verification) of card transactions with the respective PA in order to ensure explicit user consent is captured from the end-user.
- You may be required to pass the authentication identifier of the successful 2FA transaction received from the Network for Token Creation. This varies from one card scheme to another. Paytm PA provides authentication identifier received from banking gateways in Transaction Status API and Order Webhook.
- Paytm will route the tokenization request to the respective card network and return a unique Token Index Number to you for further communication with the Token Gateway Service.
- Paytm will store the mapping of the Token Index Number with your Customer and Paytm MID.
- Paytm will notify you when the card is successfully tokenized with the card network and will pass all the Token info along with Token Status in Notify Token webhook response. The Token Index Number can be saved by you and used for subsequent card operations such as Generate Token Data, Get Token Info or Modify Token Status.
- You can also query the status of your tokenization request by calling the Fetch Token Info API with a unique provision request Id as input instead of the Token Index Number. This requestId is equal to the merchant generated order id in case of in-line tokenization.
Retrieving card tokens and cryptogram
- Before initiating the transaction request, the merchant needs to check if transaction processing is supported by Paytm PG for the merchant. As of now merchant will keep this as a static configuration. Later we will introduce an API for the same.
- User is shown the list of saved card tokens that can be used to complete the payment on your app or website. As per the RBI guidelines merchants are allowed to display the last 4 digits of the card and the issuing bank name to the customer.
- User selects a tokenized saved card on your app website, enters CVV and Clicks Pay.
- Your backend retrieves the Token Data required to process the transaction with the Token Index Number provided by Paytm TG by calling the Generate Token Data API.
- Paytm TG forwards the Card Token Number, TAVV (Cryptogram) and Token Expiry to you in response.
Note:Tokens are sensitive information as card details and hence it needs to be ensured that they are not stored or logged in your systems. Only PCI compliant systems can store these tokens.
- You can now forward the retrieved Token Card Details to your preferred Payment Aggregator such as Paytm for payment processing.
Payment processing with tokens
- Your PA raises the transaction request to one of the partner banking gateways.
- Banking gateway receives the transaction status from the issuer and returns the same to your PA.
- Your PA communicates the transaction status to the you and you communicate the same to the end customer.
Passing token details in transaction request
- Merchant needs to pass the Card Token, TAVV, Token Expiry and CVV in cardTokenInfo in the Process transaction API.
- Upon getting the request, we will validate if the transaction processing is supported on the requested token or not. If not supported, we will fail the attempted payment and provide the response.
- If transaction processing is supported, then we will connect with the issuing bank via the banking gateways and card networks to process the transaction. In response, we will provide the Bank’s ACS page wherein customers can be redirected to complete the transaction process.