Tokenization
When a card is added to a wallet, the wallet does not store the real card number. Instead the card details (number, expiry, CVV) are replaced with a unique token that is specific to that card on that device. Payments made from the wallet use the token, not the card number. A few consequences worth knowing:- Each token represents one card on one device. The same card added to a phone and a watch produces two separate tokens.
- The real card number is never exposed to the merchant or stored on the device.
Provisioning
Provisioning is the act of adding a card to a wallet. There are two ways to do it.
The two methods are not exclusive. Manual provisioning always works, so most programs offer it even when they also build push provisioning for the smoother in-app flow.
Identity verification
During provisioning the wallet provider usually asks the cardholder to verify the card with a one-time passcode (OTP). This is the same regardless of which provisioning method is used. The cardholder chooses whether to receive the passcode by email or SMS. Reap sends it automatically to theemail or phoneNumber on the user record. Keep both accurate, since you cannot know in advance which one the cardholder will pick. Update them with Update user email address or Update user phone number if they change.
If the cardholder chooses to receive the passcode by SMS and you want a fallback channel (for example, to show the code in your app when the SMS is slow to arrive), subscribe to the CARD_TOKENIZATION_REQUESTED webhook. It delivers the SMS passcode as soon as verification is requested. The code is short-lived, so pass it to the cardholder right away.
Email is more reliable than SMS for OTP delivery. Encourage cardholders to choose email when the wallet app offers a choice.