Enroll as a Token Requestor with Visa (VTS) or Mastercard (MDES) through your payment processor or directly; receive a Token Requestor ID (TRID)
When storing a card, call the tokenization API with the PAN, expiry, and consumer device/wallet context; receive a network token (same format as a PAN) and a corresponding DPAN/token expiry
Store the network token and token cryptogram generator (or use your processor's vault which handles this); never store the raw PAN after tokenization
At transaction time, generate a fresh transaction-specific cryptogram (TAVV for Visa, DSRP cryptogram for Mastercard) using the token and transaction data; submit the token + cryptogram to your acquirer instead of the PAN
Handle token lifecycle events: token status updates (suspended, deleted), PAN-to-token notification when the issuer re-issues the card — network tokens auto-update, so the stored token remains valid even after physical card replacement
For card-not-present web payments, use the token with 3DS2 authentication using the token rather than the PAN to maintain tokenized authentication continuity
Known gotchas
Network tokens are not universally accepted at all acquirers and processors; verify your processor supports token-based authorization before building the full flow — some still require PAN fallback paths
The cryptogram is single-use and time-bound; generating it too far in advance of the transaction will cause an invalid cryptogram decline at authorization
Token provisioning for a new card can take seconds to minutes depending on the issuer's participation level; do not assume the token is immediately usable in a synchronous checkout flow
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp