Skip to main content
🚧 Work in progress. This documentation section is being actively developed. 🚧

Tokenization Zift

Tokenization allows you to convert a card number or bank account number into a PCI compliant token. As a Level I PCI Compliant platform we store the actual card or bank account number giving you the ability to reference it with a token for future processing. You can use the concepts and tools described below to help reduce your exposure to sensitive data and PCI scope.

Create a Token​

The tokenization request allows you to submit a card number or bank account directly to our servers for secure storage. We will return a token which can be used to reference the card or bank account for future API calls.

By default we tokenize all credit card and bank account data sent to our servers. This allows you to easily save payment methods for your customers. The tokenization request can be used as a standalone operation for tokenization only. The tokenization call is typically used to help your customers manage the payment methods (cards on file) in your system.

tip

The tokenization call allows the use of application/JSON.

curl -X POST https://sandbox-secure.unipay.io/gates/xurl? \
	-d "requestType=tokenization"  \
	-d "userName=myUsername"  \
	-d "password=myP%40ssword"  \
	-d "accountId=2001"  \
	-d "accountType=R"  \
	-d "accountNumber=5499740000000057"  \
	-d "accountAccessory=0422"  \
	-d "transactionCode=0000000001"  \
	-d "holderName=Tony+Stark"

For more information, see our API Reference documentation.

Charge With a Token​

To process a transaction using a token follow the same method used in the Charge operation and replace the accountNumber parameter with token.

curl -X POST https://sandbox-secure.unipay.io/gates/xurl? \
	-d "requestType=sale"  \
	-d "userName=myUsername"  \
	-d "password=myP%40ssword"  \
	-d "accountId=2001"  \
	-d "amount=5000"  \
	-d "accountType=R"  \
	-d "transactionIndustryType=RE"  \
	-d "holderType=P"  \
	-d "holderName=Tony+Stark"  \
	-d "accountNumber="  \
	-d "accountAccessory=0422"  \
	-d "street=12+Main+St"  \
	-d "city=Denver"  \
	-d "state=CO"  \
	-d "zipCode=30301"  \
	-d "customerAccountCode=0000000001"  \
	-d "transactionCode=0000000001"  \
	-d "token=MC10000000254965411111 "  \

Get a Token Profile​

requestType=get-profile

Use this operation to retrieve additional card holder data stored with a token for a card or bank account you have tokenized.

warning

get-profile only works if profiling is activated on the account. Please contact us if this is a feature you would like to use.

warning

get-profile only works for cards that have been tokenized after we have activated profiling on your account.

curl -X POST https://sandbox-secure.unipay.io/gates/xurl? \
	-d "requestType=get-profile"  \
	-d "userName=myUsername"  \
	-d "password=myP%40ssword"  \
	-d "accountId=2001"  \
	-d "token=XVC01P0000000084632147254611114111001111"  \

For more information, see our API Reference documentation.

Proxynization.js​

Our proxynization API is a JavaScript library that can be embedded into your payment pages. This library allows you to generate temporary tokens from your payment page before data is submitted to your system helping to reduce PCI scope.

Proxynization Implementation Overview​

  1. Reference our proxynization.js library on your payment page. Below are production and sandbox links to our proxynization library.
    • Production: https://secure.unipay.io/services/api.proxynization.js
    • Sandbox: https://sandbox-secure.unipay.io/services/api.proxynization.js
note

You may also download and host this library on your server. However, you will be responsible to make sure all library updates have been implemented when Unipay updates the proxynization.js library. You can view the Changelog to see if there are any updates to the proxynization.js library.

  1. Use the authentication request to receive a temporary password which will be valid for 10 minutes. Make sure you use the correct contextType when makeing the authentication call. Use: contextType=proxynization
  2. Submit the proxynization request with your previously received temporary password to get a proxy number;
  3. Use the returned proxy number in the accountNumber field for subsequent sale, credit and tokenization requests.

See the workflow section below implementation details.

Security Constraint​

JavaScript by nature has security limitations. Since it is a client-side language its source code is entirely accessible. Therefore, it is impossible to secure passwords within JavaScript. Consequently, you should never use javascript to directly make calls to the Unipay API endpoints such as sale or sale-auth.

Proxynization.js Workflow​

  1. Include api.proxynization.js

    Copy the following lines and paste them to your HTML page. This will enable the proxynization functionality within your application.

    <script type="text/javascript" src="https://secure.unipay.io/services/api.proxynization.js"></script>

  2. Implement the callback function.

    The callback function will be invoked once the proxynization response is returned from our system. We generate a function call which invokes the pre-defined callback function and passes the proxynization results into it. Post-proxynization logic (such as submission of the form to your server) should be included in the callback function.

    The callback function must declare three parameters: responseCode, responseMessage and proxyNumber:

    ParameterDescription
    responseCodeUnipay generated response code. Possible values are listed in the table.
    responseMessageUnipay generated response message, associated with the responseCode value. Possible values are listed in the table.
    proxyNumberTemporary proxy number.

    Callback function example:

    function clientCallback(responseCode, responseMessage, proxyNumber){
      if(responseCode == "A01"){
        document.getElementById('accountNumber').value = proxyNumber;
        paymentForm.submit();
      } else{
        alert(responseMessage);
        return false;
      }
    }

  3. Make the authentication request.

    Retrieve the temporary password from the authentication call response and assign it to the Proxynization API object. To obtain the temporary password, submit an authentication request, using your credentials:

    https://sandbox-secure.unipay.io/gates/xurl?requestType=authentication&userName=*****&password=*****&contextType=proxynization

    Server-side code example:

    ProxynizationAPI.password = '<?php echo (getPass()); ?>';

    Final JavaScript code example:

    ProxynizationAPI.password = '7e850d1d-0f94-4281-92f9-2c2c8bc8f70e';
info

The temporary password (such as 7e850d1d-0f94-4281-92f9-2c2c8bc8f70e) is dynamically obtained from Unipay every time when the page is refreshed. It is valid for 10 minutes and can only be used once.

  1. Implement your payment form and insert a proxynization call within the form's submit action.

    process() function takes two parameters:

    • The first parameter can either be the value of account number, or it can be the ID of the component from which the value can be obtained. If the value of the parameter starts with a hashtag (#) symbol, the first parameter is assumed to be the ID of the component. If a hashtag is not present, the first parameter is assumed to be an account number.
    • The second parameter is the name of the callback function (previously implemented, see step 2), that will be called when the proxynization call is completed.

    Proxynization call example:

    <input type="button" onClick="ProxynizationAPI.process('#accountNumber','clientCallback');"/>

How to use the proxy number​

The proxynization call is used to generate a temporary token (proxy number) for a credit card or bank account number. The resulting temporary token can be substituted for the actual credit card or bank account number in various API calls such as sale or sale-auth.

Heads up! To indicate that the proxy number is being used within the accountNumber field its value should be preceded by an asterisk (*) accountNumber=*proxynumber.