Using reusable card identifiers (Tokens)
Once you have created and stored reusable card identifiers, you can use them in your customers' future transactions.
When we store a card identifier we store all the card details submitted by the customer with the exception of the security code (CVV), as it is considered to be sensitive authentication data and it must not be stored after authorisation (even if encrypted).
Therefore if you want to use a stored card identifier you will have to first ask your customer to resubmit their security code. How you do that depends in your integration method.
Submit security code via drop-in checkout integration
If you are integrated with our drop-in checkout you have to ensure that you follow the steps below:
To bring up the drop-in iFrame you will need to call sagepayCheckout with the merchantSessionKey and reusableCardIdentifier values as per the example below:
merchantSessionKey : '657B1783-3A76-4A3E-96F0-578D894DF02D',
reusableCardIdentifier : 'CAFECA44-41C9-4072-AC03-542227D38D7E'
Once the customer initiates the form submission, the security code is validated and stored against the reusable card identifier.
A successful call will result in an empty (no content) HTTP 204 response indicating that the server successfully processed the request.
Submit security code via own form integration
If you are integrated with the own form checkout you have to ensure that you follow the steps below:
Be sure not to set a name attribute on this field, this will ensure that the securityCode is not submitted to your server.
Here is an example form:
All that is left to do is to call activateReusableCardIdentifier when you load the page that also includes sagepay.js and the merchantSessionKey as per the example below.