Card Tokenization for Tap & Pay and E-Commerce

Card tokenization is one of the most technically demanding programmes a bank can undertake. It requires coordinating a payment scheme, a card host, an SDK provider, a mobile app development partner, and the bank's own internal teams — all simultaneously, across a single shared implementation timeline that Mastercard controls.

I led this engagement as the primary product and programme coordinator on behalf of the banking client — a MENA retail bank introducing NFC Tap & Pay via its mobile banking app and Card-on-File tokenization for e-commerce. The project is live in production.

What the Programme Covers

The scope spans two distinct tokenization programmes running in parallel under Mastercard's Digital Enablement Service (MDES) infrastructure:

Issuer Wallet (Wallet 856) — NFC Tap & Pay via the bank's mobile banking app. Cardholders tokenize their Debit and Credit cards within the app and pay at POS terminals by tapping their phone. Authentication is handled via the Thales D1 SDK embedded in the app, with tokens provisioned through Mastercard MDES as the token issuer.

Remote Commerce / Merchant Card on File Tokenization (Wallet 327) — tokenization of card credentials stored by e-commerce merchants. Rather than storing raw card numbers, merchants store tokens — reducing the risk surface of Card-not-Present fraud across the bank's entire card portfolio.

"Two parallel tokenization programmes. One implementation timeline. Five organisations that had never worked together before."

The Stakeholder Landscape

This project required coordinating across five distinct organisations, each with their own technical requirements, timelines, and approval processes. Getting all five aligned — and keeping them aligned — was as much of the work as the product design itself.

Project stakeholders — roles and responsibilities

Card Issuer & Token Requester

Banking Client

Initiating organisation. Owns the cardholder relationship, the BIN portfolio, and the mobile banking app. Primary coordinator across all other parties.

Payment Scheme & Token Issuer

Mastercard (MDES)

Token issuer and MDES Issuer Wallet Provider. Controls the implementation timeline, certification milestones, and production go-live approval.

SDK Provider

Thales

Provides the D1 SDK for embedding tokenization and NFC payment capability into the mobile app. Manages the token lifecycle portal (TLCM).

Card Host & Processing Engine

EuroNet Worldwide

Card host system managing backend processing of tokenized transactions. The EN Passthrough layer sits between the issuer CMS and Thales D1 APIs.

App Development Partner

Avanza Solutions

Mobile app development partner responsible for integrating the Thales SDK into the bank's mobile banking application.

My Role

Umer Qasim

Programme coordinator and product lead. Named contact on the Mastercard Implementation Plan (CIS-2023-03244). Coordinating all five organisations through design, testing, and go-live.

The BIN Portfolio in Scope

Nine BIN ranges were onboarded across Debit and Credit card products, spanning two ICA numbers — covering the bank's full mainstream card portfolio:

Product	Card Type	Programme
Debit Gold	Debit	Tap & Pay + Card on File
World Debit Embossed	Debit	Tap & Pay + Card on File
Debit Platinum	Debit	Tap & Pay + Card on File
Debit Standard	Debit	Tap & Pay + Card on File
Titanium Mastercard	Credit	Tap & Pay + Card on File
Platinum	Credit	Tap & Pay + Card on File
Gold	Credit	Tap & Pay + Card on File
Standard	Credit	Tap & Pay + Card on File
World	Credit	Tap & Pay + Card on File

How Tokenization Actually Works

The tokenization flow involves six system actors passing messages in a precise sequence. Understanding this sequence — and owning the gaps between the systems — was central to the product coordination work.

Card tokenization sequence — Mobile App to Token Created

CardRegister — Mobile App → Issuer CMS

The mobile app initiates registration. The Issuer CMS generates a Card ID and Consumer ID, then registers the consumer and card details with the EuroNet Passthrough layer.

Digitize Card Request — EN Passthrough → Thales D1 APIs

The Card ID and Consumer ID are passed to Thales D1. Thales issues a Digitize Card Request to Mastercard/MDES — the formal instruction to create a token.

GetCard Credential — Thales D1 → EN Passthrough

Thales retrieves card credentials from the issuer via EuroNet. These credentials are used to validate the card against Mastercard's token eligibility criteria.

Token Request — Thales D1 → Mastercard/MDES

Thales sends a formal Token Request to Mastercard. MDES issues a Verify Card challenge to confirm the cardholder's identity and card validity.

Verify Card — Mastercard → Thales → EN → Issuer CMS

The verification request travels back through the chain. The Issuer CMS validates the card and returns verification confirmation upward through EuroNet to Thales to Mastercard.

Token Created — Mastercard → Token Success Acknowledgement

Mastercard creates the token. A Token Success Acknowledgement flows back through the chain to the mobile app. Notify Card Operation and Notify Digital Card Operation messages confirm the token is active and ready for NFC payment.

Tokenization sequence diagram — system actors and message flow

Card tokenization sequence diagram showing message flow between Mobile App, Issuer CMS, EN Passthrough, Thales D1 APIs, Thales SDK, and Mastercard

The full tokenization sequence: six system actors, twelve message exchanges, ending at Token Created. Every interface between these actors required alignment between organisations that had separate contracts, separate timelines, and separate technical environments.

The Mastercard Implementation Process

Mastercard's MDES onboarding is a structured, milestone-gated process. Nothing moves until Mastercard approves it. I was the named contact on the Mastercard Customer Implementation Services (CIS) Implementation Plan — project reference CIS-2023-03244, EEMEA region — responsible for driving each activity to completion on the bank's side.

The key milestones the bank had to own:

MDES Parameter Collection Guide completion. Offline testing with Mastercard. MDES Manager onboarding. Card design approval. Cryptographic key exchange — API Gateway Client Certificate, Customer Wrapping Key, PEPK-PESK, and ECB/CCMOut Keys. Customer test environment setup. Online testing. Production Validation Testing (PVT). Go-live.

Each of these had dependencies on the other four stakeholders. A delay in the EuroNet passthrough configuration affected the key exchange. A change in the Thales SDK integration affected offline testing. Keeping all five organisations moving in the same direction, at the pace Mastercard's timeline required, was the core coordination challenge.

"Mastercard's implementation timeline doesn't flex for internal delays. The bank's readiness — across all five organisations — had to be there when Mastercard was ready. That meant driving dependencies upstream, not waiting for them."

Testing — What We Put It Through

The Production Testing Report (PTR) covered 64 test cases across device eligibility, tokenization flows, NFC payment transactions, token lifecycle management, and backend operations including settlement, dispute handling, reconciliation, and authorisation.

52+

Test cases — Pass

Parked for next release

✓

International NFC transaction — outside Pakistan

The test scope included: device eligibility checks — NFC-enabled vs non-NFC devices handled correctly; end-to-end tokenization for all 9 BIN ranges across Debit and Credit products; 1-tap and 2-tap NFC payment flows for both logged-in and session states; token lifecycle management (Active → Suspend → Active → Delete) via both Thales portal and mobile app; card image validation across all BIN ranges on tokenization and transaction success screens; and international transaction validation — a successful NFC payment was performed on a NAPS POS terminal outside Pakistan, confirming cross-border token interoperability.

Items parked for the next release were documented and tracked — not dropped. Each had a defined owner, a root cause, and a target resolution milestone. Parking a finding correctly is as important as resolving it: it keeps the go-live timeline intact without creating undocumented debt.

What Made This Hard

Token lifecycle management across five systems is harder than it appears. A token that is Active in the Thales portal can show as Disabled in the mobile app under certain conditions — which is a user-facing failure even though all systems are technically functioning correctly. Resolving these interface gaps required joint debugging sessions between Avanza (app), Thales (SDK and portal), and EuroNet (card host) — none of whom had a shared incident management process.

The cryptographic key exchange was another pressure point. MDES requires specific key types — PEPK-PESK for payment credentials, ECB and CCMOut keys for the external CMS. Each key exchange has a strict procedural requirement from Mastercard, and any error resets the clock. Getting this right required close coordination between the bank's security team, EuroNet, and Mastercard's CIS team across different time zones.

And throughout all of this, the Mastercard billing clock was running. At Tier L.3, the monthly implementation fee accrues from the first billing cycle after plan submission. Every week of delay has a direct cost. That creates a different kind of urgency than an internal project — one that has to be communicated clearly to every organisation in the chain.

Where It Landed

LiveProduction — NFC Tap & Pay delivered

9 BINsFull card portfolio tokenized

2 WalletsTap & Pay + Card on File

Intl ✓Cross-border NFC validated

The programme delivered what it set out to: cardholders can tokenize their Debit and Credit cards within the bank's mobile app and pay at NFC terminals without presenting a physical card. E-commerce merchants can store tokens instead of raw card numbers, reducing fraud exposure across the bank's card portfolio. Both programmes are live in production.

What This Means for You

If your bank is planning a tokenization programme — or has been told by Mastercard that MDES onboarding is straightforward — here is what the experience actually looks like:

What banks get wrong about tokenization programmes

The Mastercard timeline is not negotiable. Your internal delays don't pause the billing clock. Start the stakeholder coordination before you think you need to.
Five organisations means five sets of technical environments, approval chains, and escalation paths. Someone has to own the interfaces between them. That role doesn't exist by default.
Key exchange errors are expensive. Cryptographic setup requires precision and a clear procedural owner — this is not a task to delegate to a team that's doing it for the first time.
Token lifecycle management is a product problem, not just an ops problem. How a token behaves when suspended, deleted, or re-activated needs to be designed from the user's perspective — not just validated technically.
International interoperability needs to be tested explicitly. A token that works domestically doesn't automatically work cross-border. Test it before go-live, not after.

Umer Qasim

Fractional Product Manager & Payments SME with 15+ years across Tier 1 banks, fintechs, and card networks. Works globally on payment product strategy, card programmes, and digital banking.
umerqasim.com · LinkedIn