How token sharing works between merchants
- Company A tokenizes the card and owns the token.
- Company A associates the token with Company B.
- Company B can now perform actions on the token (charge, relay, display, etc.) as if they created it.
- Company A retains ownership, responsibility, and billing for all actions on the token.
Step 1: Tokenize the Card
Company A tokenizes the card using any available method:- Hosted Card Entry Form
- Card By Link
- Tokenization on Response
- Tokenization on Request
- Universal Tokenization
Step 2: Associate the Token with Company B
Company A calls Associate with Customer to grant Company B access to the token. After association, Company A sends Company B the token URI. The token URI is not sensitive data and can be shared through any channel (email, API, etc.).Step 3: Company B Uses the Token
Once associated, Company B can perform any action on the token:- Charge via Universal Payment Gateway
- Relay to a third party via Token Replacement
- View card details via Card Display
- Delete the token (removes their association, not the token itself)
Ownership stays with Company A. All fees for actions performed on the card are billed to Company A. CVV retention policy and long-term storage responsibility remain with Company A.
Step 4: Remove Access
When Company B no longer needs access, Company A calls Disassociate from Customer to revoke access.Related
- Third-Party Permissions. Overview of property and customer token associations.
- CVV Retention Policy. If Company B needs CVV access, Company A must set a retention policy first.
- Send Stored Card Details to a Hotel. Need to send the actual card data to a hotel instead of sharing the token?
- Process OTA and Channel Manager Payments. Receiving cards from a third party and need to charge them?

