A token requestor (merchant, PSP, or wallet) must be registered with Visa Token Service and assigned a Token Requestor ID (TRID) before provisioning tokens
Token provisioning begins with the token requestor submitting a token request containing the PAN, expiry, and TRID to VTS; Visa returns a DPAN (Device Primary Account Number) and expiry that replaces the PAN for transactions
Issuers participate in VTS and may require ID&V (identity and verification) steps before approving a token; the provisioning response indicates whether additional verification is needed
Each token is bound to a specific device or token requestor domain; a token provisioned for a mobile wallet cannot be used by a different requestor without re-provisioning
Token lifecycle events (suspend, resume, delete) are communicated back to the token requestor via lifecycle management APIs or webhooks; the requestor must keep its token vault synchronized
When authorizing a transaction with a VTS token, the token requestor must include the TAVV (Token Authentication Verification Value) cryptogram generated per-transaction to prove possession of the token
Known gotchas
TRID registration is a prerequisite for all VTS operations; attempting to provision without a valid TRID will result in rejection
DPAN expiry dates may differ from the underlying PAN expiry; do not assume they are the same when displaying card details to cardholders
TAVVs are single-use and time-bound; reusing a TAVV or presenting it in a different authorization amount than it was generated for will result in an authorization failure
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp