Skip to main content

Card Token Generation

PAN Tokenization Algorithms

Card PAN tokenization algorithms are used for map card PAN values to hash values. The most important feature of tokenization is that it is irreversible - there is no way to derive the PAN value from the token. Tokens can be used to identify the linked payment card and are safe to use outside the scope of PCI DSS. TPS (Sfey Transit Payment System) tokenization algorithms are all offline algorithms - they can be calculated without accessing TPS services.

Tokenization Secret Key

A secret key is required to calculate the card token.

Sfey Pay provides the secret key in encrypted format. It will be exported from Sfey systems with an RSA public key provided by the client requesting the secret.

All tokenization algorithms use 256-bit secret keys.

Algorithm HMAC_SHA256

The algorithm returns tokens in binary form, but typically tokens are represented as HEX-encoded strings in TPS services.

Token is calculated using HMAC algorithm as follows:

T := HMAC_SHA256(K, PAN)

Where:

  • T - calculated token in binary format (256-bit)
  • HMAC_SHA256 - HMAC algorithm implementation using SHA-256 for hashing function, takes binary key and binary data in input and returns binary data in output
  • K - secret key in binary format (256-bit)
  • PAN - card PAN in ASCII format (up to 19 bytes)