Tokenization and stored credentials
Magento does not save credit card details.
Instead, Worldpay creates a token against each card and sends it to Magento. When a shopper saves a card, the token generated by Worldpay is saved in the Magento database; we use this token for future authorizations. The shopper must save the card again when the token expires, and Worldpay then issues a new token.
How to configure tokenization and stored credentials
You can enable tokenization at Stores/Configuration/Sales/Worldpay/Tokenization.
Do the following:
- Set Save Card to Yes or No. Card-saving only works if either Tokenization or Stored Credentials is enabled.
- Set Enable Tokenization to Yes or No.
- Set Enable Stored Credentials to Yes or No. If Stored Credentials is enabled, the system adds the usage attribute that has values like FIRST and USED. The system also adds the transactionIdentifier value of the FIRST response as
schemeTransactionIdentifierin the USED request.
See the Worldpay documentation for more information on stored credentials.
| Configuration | Description |
|---|---|
| Save card | If set to Yes, the save card function is enabled provided that either Tokenization or Stored credentials is enabled. |
| Enable Tokenization | Write the message that shoppers see. |
| Enable Stored Credentials | If set to Yes, stored credentials are enabled and the system creates a token with a long expiry time. |
Additional information:
A maximum of 16 cards can be saved under each authenticated shopper ID
Tokenization/stored credentials must be enabled to ensure compliance when storing card details
You can configure a disclaimer that shoppers must accept during checkout to save their card:
| Configuration | Description |
|---|---|
| Enable Stored Credentials | If set to Yes, stored credentials is enabled. |
| Disclaimer message | Write the message that shoppers see. |
| Show Disclaimer In Store Front | If set to Yes, a pop-up link to the disclaimer message appears on the checkout page. |
| Important Disclaimer Mandatory | If set to Yes, the shopper must agree to the disclaimer before they can save their card details. |
The shopper’s experience with stored credentials enabled
Once stored credentials and a disclaimer are configured, the shopper enters a flow where they can save the card after verifying the disclaimer. See the two screenshots below:
If a shopper tries to place the order without verifying the disclaimer, a prompt appears. This prompt asks the shopper to verify the disclaimer (so their card details are saved). If the shopper does not accept the disclaimer, the system does not create a token for future use.
When the shopper clicks the Important Disclaimer link, they have the option to agree or disagree with the disclaimer. To both place order and save the card details, the shopper must agree to the disclaimer.
If the shopper chooses to disagree to the disclaimer, the Save This Card option is unchecked. The order proceeds without any saved card details.