docs: clarify network token usage and PCI scope in card credentials#367
docs: clarify network token usage and PCI scope in card credentials#367jamesandersen wants to merge 3 commits intoUniversal-Commerce-Protocol:mainfrom
Conversation
Add documentation for pre-provisioned network token usage and PCI scope distinctions between FPAN and network token credential modes: - Add "Pre-Provisioned Network Tokens" section to the tokenization guide covering the BYOT path where platforms present card network tokens directly as card_number_type: "network_token" without a tokenize/detokenize round-trip - Add network token bullet to Platform PCI Scope in the overview - Update card_credential.json description to distinguish PCI scope between fpan (full PCI DSS) and network_token (reduced scope) References Universal-Commerce-Protocol#296 — split from the original card network token credential PR into a focused docs-only change per reviewer feedback.
jamesandersen
requested review from
archrao,
kmcduffie,
nicholasjameshall and
wry-ry
|
@jamesandersen At a high level I think this makes sense. At the same time, I would like to avoid setting the UCP documentation in a way that it needs to be updated if PCI guidance changes. Would you be open to adjusting the language to reference the PCI guidance and do the right thing? |
Update three locations that asserted DPANs "are not considered cardholder data by most acquirers" to instead reference current PCI DSS guidance, avoiding scope claims that could go stale if PCI SSC updates requirements.
|
@kmcduffie Good call — I was trying to find phrasing that didn't imply network tokens were not in scope of PCI DSS, but referring to the spec itself with guidance to consult it is a better path. Updated all three places where I made scope assertions (overview, tokenization guide, card_credential.json description) to point to current PCI DSS guidance instead. Pushing now. |
kmcduffie
left a comment
kmcduffie
left a comment
There was a problem hiding this comment.
Sorry for some of the outdated comments, I couldn't figure out how to delete the no longer relevant ones.
| - Using PSP tokenization payment handlers where raw credentials never pass | ||
| through the platform | ||
| - Presenting pre-provisioned card network tokens | ||
| (`card_number_type: "network_token"`) — DPANs with cryptograms are not |
There was a problem hiding this comment.
What do you think of having this cover both DPANs and CPANs?
| "$id": "https://ucp.dev/schemas/shopping/types/card_credential.json", | ||
| "title": "Card Credential", | ||
| "description": "A card credential containing sensitive payment card details including raw Primary Account Numbers (PANs). This credential type MUST NOT be used for checkout, only with payment handlers that tokenize or encrypt credentials. CRITICAL: Both parties handling CardCredential (sender and receiver) MUST be PCI DSS compliant. Transmission MUST use HTTPS/TLS with strong cipher suites.", | ||
| "description": "A card credential containing payment card details. When card_number_type is 'fpan', this contains a raw Primary Account Number (PAN) — both parties MUST be PCI DSS compliant. When card_number_type is 'network_token', this contains a Device PAN (DPAN) with cryptogram and ECI, which operates under reduced PCI scope as DPANs are not considered cardholder data by most acquirers. FPAN credentials MUST NOT be used directly for checkout — use payment handlers that tokenize or encrypt credentials. Transmission MUST use HTTPS/TLS with strong cipher suites.", |
There was a problem hiding this comment.
There is a situation where the card_number_type is fpan, but can be exchanged in a secure flow outside of UCP, where what is passed from the payment handler is effectively a foreign key to that value that was previously exchanged, or a reference to something that can be retrieved.
| ### Pre-Provisioned Network Tokens | ||
|
|
||
| Not all credential flows require a tokenize/detokenize round-trip. When a | ||
| platform already holds a **card network token** (provisioned via Visa VTS, |
There was a problem hiding this comment.
Given the new APIs networks are standing up, what do you think of dropping the API names and having the documentation simply reference Visa / MC?
There was a problem hiding this comment.
nit: I would drop any concern about who provisioned it here to stay bias-free in the protocol documentation 😄
There was a problem hiding this comment.
Agreed — dropped the VTS/MDES references.
|
|
||
| ```json | ||
| { | ||
| "type": "card", |
There was a problem hiding this comment.
There is also a flow where this obj, even when DPAN / CPAN, could still be wrapped in a payment_handler wrapper. It wouldn't require a de-tokenization call to an out of band API, but would make the object opaque to any intermediate parties.
Can you update the language to be open to that setup as well? I would expect the object definition of the card credential would specify what the object contains.
There was a problem hiding this comment.
Aligned and truthfully I think thats what would fit the current state of UCP!
There was a problem hiding this comment.
Yep - language is updated to note a payment handler is needed for negotiation. This should leave the door open for handlers that also that wrap credentials for intermediary opacity.
I'm interested to discuss/learn more about pros/cons of wrapping vs. directly passing network tokens (which the schema seems to allow on a complete checkout call) BUT also interested in getting this PR over the finish line before diving into that further ;-)
| - Using PSP tokenization payment handlers where raw credentials never pass | ||
| through the platform | ||
| - Presenting pre-provisioned card network tokens | ||
| (`card_number_type: "network_token"`) — DPANs with cryptograms may |
There was a problem hiding this comment.
With CPANs, not all cryptograms will be device bound. What do you think of updating the comments to be more broadly around cryptograms?
There was a problem hiding this comment.
Good call — updated the language to say "network tokens with cryptograms" rather than "DPANs with cryptograms," so it covers both DPANs and CPANs without assuming device-binding.
raginpirate
left a comment
raginpirate
left a comment
There was a problem hiding this comment.
Really appreciate you working on this @jamesandersen! I'm definitely enjoying the discourse as we find the right place to fit network tokens into UCP 😄
| ### Pre-Provisioned Network Tokens | ||
|
|
||
| Not all credential flows require a tokenize/detokenize round-trip. When a | ||
| platform already holds a **card network token** (provisioned via Visa VTS, |
There was a problem hiding this comment.
nit: I would drop any concern about who provisioned it here to stay bias-free in the protocol documentation 😄
| the tokenization handler lifecycle entirely — the credential is ready for | ||
| checkout as-is. |
There was a problem hiding this comment.
Hmm thats interesting: to make this work mechanically, we would require a base dev.ucp.network_token payment handler to allow proper negotiation of direct network token support at checkout + advertising constraints.
Until we decide to deliver something like that (and have a volunteer business & platform adopters), this statement is not necessarily true.
There was a problem hiding this comment.
You're right — I've updated the language to cover a payment handler requirement for capability negotiation. The specific handler definition (while perhaps the spirit of what I was after with #296 - but didn't quite nail) is something we tackle in the future. Hopefully you'll find the docs here framing that up correctly now though.
| Mastercard MDES, or similar), it can present the token directly as a | ||
| `card_credential` with `card_number_type: "network_token"`. This bypasses |
There was a problem hiding this comment.
Hmmmm... From a business perspective nothing happened involving them, but from a platform perspective they still need to generate a cryptogram, which to me is a form of tokenization process that a handler can/should describe in the ecosystem 😄
There was a problem hiding this comment.
Yeah, I'm with you on the need for a handler through which the platform and business can "agree" on use of a network token.
|
|
||
| ```json | ||
| { | ||
| "type": "card", |
There was a problem hiding this comment.
Aligned and truthfully I think thats what would fit the current state of UCP!
| Tokenization handlers accept source credentials (e.g., card with FPAN) and | ||
| produce checkout credentials (e.g., tokens). | ||
|
|
||
| ### Pre-Provisioned Network Tokens |
There was a problem hiding this comment.
Just a note that this document, although it uses card as an example, does not actually get into the specifics of how one should handle card tokenization. This context is a bit jarring living here, it might be worth pivoting this to describe secure tokens and using network tokens as an example of reducing compliance risk with a secure tokenization protocol.
There was a problem hiding this comment.
Alright - I've tried to reframe the section as "Pre-Provisioned Credentials," with a general pattern of credentials acquired in advance that don't require a per-transaction tokenize/detokenize round-trip. Network tokens are a concrete example of this pattern (though details of provisioning / submitting for payment are outside the scope of this doc) rather than the sole focus. WDYT?
Reframe pre-provisioned network tokens as a general credential pattern: - Rename section to "Pre-Provisioned Credentials" - Drop DPAN qualifier and VTS/MDES API references - Clarify payment handler is required for capability negotiation - Use network tokens as concrete example, not sole focus
jamesandersen
force-pushed
the
docs/network-token-usage
branch
from
4da321b to
ab9db85
Compare
jamesandersen
left a comment
jamesandersen
left a comment
There was a problem hiding this comment.
Thanks @kmcduffie and @raginpirate for sticking with this PR - good feedback throughout and hopefully we're getting close with this latest round of updates ;-)
| - Using PSP tokenization payment handlers where raw credentials never pass | ||
| through the platform | ||
| - Presenting pre-provisioned card network tokens | ||
| (`card_number_type: "network_token"`) — DPANs with cryptograms may |
There was a problem hiding this comment.
Good call — updated the language to say "network tokens with cryptograms" rather than "DPANs with cryptograms," so it covers both DPANs and CPANs without assuming device-binding.
| ### Pre-Provisioned Network Tokens | ||
|
|
||
| Not all credential flows require a tokenize/detokenize round-trip. When a | ||
| platform already holds a **card network token** (provisioned via Visa VTS, |
There was a problem hiding this comment.
Agreed — dropped the VTS/MDES references.
| Tokenization handlers accept source credentials (e.g., card with FPAN) and | ||
| produce checkout credentials (e.g., tokens). | ||
|
|
||
| ### Pre-Provisioned Network Tokens |
There was a problem hiding this comment.
Alright - I've tried to reframe the section as "Pre-Provisioned Credentials," with a general pattern of credentials acquired in advance that don't require a per-transaction tokenize/detokenize round-trip. Network tokens are a concrete example of this pattern (though details of provisioning / submitting for payment are outside the scope of this doc) rather than the sole focus. WDYT?
| Mastercard MDES, or similar), it can present the token directly as a | ||
| `card_credential` with `card_number_type: "network_token"`. This bypasses |
There was a problem hiding this comment.
Yeah, I'm with you on the need for a handler through which the platform and business can "agree" on use of a network token.
| the tokenization handler lifecycle entirely — the credential is ready for | ||
| checkout as-is. |
There was a problem hiding this comment.
You're right — I've updated the language to cover a payment handler requirement for capability negotiation. The specific handler definition (while perhaps the spirit of what I was after with #296 - but didn't quite nail) is something we tackle in the future. Hopefully you'll find the docs here framing that up correctly now though.
|
|
||
| ```json | ||
| { | ||
| "type": "card", |
There was a problem hiding this comment.
Yep - language is updated to note a payment handler is needed for negotiation. This should leave the door open for handlers that also that wrap credentials for intermediary opacity.
I'm interested to discuss/learn more about pros/cons of wrapping vs. directly passing network tokens (which the schema seems to allow on a complete checkout call) BUT also interested in getting this PR over the finish line before diving into that further ;-)
4 participants
Summary
card_number_type: "network_token") without a tokenize/detokenize round-tripcryptogramandeci_valueSplit from #296 into a focused docs-only PR per reviewer feedback. TRID intentionally omitted per discussion in #296.
Type of change
Checklist
MDESto custom dictionary)