Cybersource Developer Community Cybersource Developer Community

You can think of TMS (Token Management Service) as services to create, read, update, and delete tokens as well as the storage of those tokens. The purpose of Secure Acceptance Flex Microform and Flexible Token API is to reduce PCI scope when handling credit card account numbers by replacing them with tokens without touching your servers (direct from customer browser or app to CyberSource). MyAARPMedicare

The Secure Acceptance Flex Microform and Flexible Token API uses TMS underneath to create tokens, but cannot read, update, delete tokens or authorize the card.

The CyberSource Token Management Service (described here /echatrandom and here /echatspin) allows you to create "instruments" which are tokenized cards that can be stored with a user's account and used for later purchases/transactions with your service.

I would like to use the Flex API (described here, here and here) to perform an initial tokenization of the card. Can I then use a Flex token to perform TMS calls?

Obviously both mechanisms are tokenization, but there are advantages to both:

1. TMS seems intended for long-term storage and supports auto-superseding PANs.
2. Flex has the capability to switch to micro-form iframes.

So it would be useful to do the initial tokenization with Flex for PCI-DSS reasons, and then use that to create TMS tokens for long-term storage.

Microform (or Flex API for native/embedded/non-browser implementations) can be used to create temporary (transient) tokens, directly from a cardholder's device. The Transient Token replaces sensitive card data in API requests to Cybersource.

Whilst you can't use the Transient Token in a direct call to TMS, you can use the Transient Token from the Microform (or Flex API) in a combined Authorization and TMS token create call. Just set the amount to zero if you are not charging your customer at that point. This has the added benefit of validating the card details with the issuer, and letting the issuer know you are storing the credentials on file - complying with Credentials on File and Merchant Initiated Transaction mandates, which should mean improved payment success rates.*

Set the actionTokenTypes array to specify which token types you want created. You can create a new Customer with default payment instrument, or add a secondary Payment Instrument to an existing Customer. Use your own credentials on the examples, as someone has deleted the customer.id specified in the example request.

* specifically the authorization is flagged as credentialStoredOnFile, and the resulting networkTransactionId is stored against the token and automatically populated in future merchant initiated requests.