Tokenization and stored credentials

Magento does not save credit card details.

Instead, Worldpay creates a token against each card and sends it to Magento. When a shopper saves a card, the token generated by Worldpay is saved in the Magento database; we use this token for future authorizations. The shopper must save the card again when the token expires, and Worldpay then issues a new token.

How to configure tokenization and stored credentials

You can enable tokenization at Stores/Configuration/Sales/Worldpay/Tokenization.

Tokenization and stored credentials enablement

Do the following:

  1. Set Save Card to Yes or No. Card-saving only works if either Tokenization or Stored Credentials is enabled.
  2. Set Enable Tokenization to Yes or No.
  3. Set Enable Stored Credentials to Yes or No. If Stored Credentials is enabled, the system adds the usage attribute that has values like FIRST and USED. The system also adds the transactionIdentifier value of the FIRST response as schemeTransactionIdentifier in the USED request.

See the Worldpay documentation for more information on stored credentials.

ConfigurationDescription
Save cardIf set to Yes, the save card function is enabled provided that either Tokenization or Stored credentials is enabled.
Enable TokenizationWrite the message that shoppers see.
Enable Stored CredentialsIf set to Yes, stored credentials are enabled and the system creates a token with a long expiry time.

Additional information:

  • A maximum of 16 cards can be saved under each authenticated shopper ID

  • Tokenization/stored credentials must be enabled to ensure compliance when storing card details

You can configure a disclaimer that shoppers must accept during checkout to save their card:

Configure the disclaimer screen

ConfigurationDescription
Enable Stored CredentialsIf set to Yes, stored credentials is enabled.
Disclaimer messageWrite the message that shoppers see.
Show Disclaimer In Store FrontIf set to Yes, a pop-up link to the disclaimer message appears on the checkout page.
Important Disclaimer MandatoryIf set to Yes, the shopper must agree to the disclaimer before they can save their card details.

Note
See the Worldpay support centre for more details about disclaimers.

The shopper’s experience with stored credentials enabled

Once stored credentials and a disclaimer are configured, the shopper enters a flow where they can save the card after verifying the disclaimer. See the two screenshots below:

Payment methods screen

If a shopper tries to place the order without verifying the disclaimer, a prompt appears. This prompt asks the shopper to verify the disclaimer (so their card details are saved). If the shopper does not accept the disclaimer, the system does not create a token for future use.

Payment methods screen

When the shopper clicks the Important Disclaimer link, they have the option to agree or disagree with the disclaimer. To both place order and save the card details, the shopper must agree to the disclaimer.

Payment methods screen

If the shopper chooses to disagree to the disclaimer, the Save This Card option is unchecked. The order proceeds without any saved card details.