# Tokenize Virtual Cards
source: https://developer.mastercard.com/business-payment-controls/documentation/use-cases/05-tokenize-virtual-cards/index.md

## Tokenize Business Payment Controls virtual cards {#tokenize-business-payment-controls-virtual-cards}

Virtual Cards issued with Business Payment Controls can be tokenized by using Mastercard® In Control™ for Mobile Payments (ICMP). ICMP utilizes Mastercard Digital Enablement Service (MDES) to tokenize virtual cards into a digital wallet. 

Currently Business Payment Controls supports manual provisioning. That is, virtual cards can be created using Business Payment Controls, and then manually added to the end user's digital wallet.
Note: There are three paths for token authorization that are shown in the sequence diagrams for BPC API use cases:

* Green Path: ICMP sends an APPROVED decision to MDES (Not available to EU issuers for mobile virtual cards).
* Yellow Path: The cardholder is requested to provide another verification, for example, a one-time password (OTP).
* Red path: ICMP sends a DECLINED decision to MDES.

## Registering a real card that is enabled for virtual card tokenization {#registering-a-real-card-that-is-enabled-for-virtual-card-tokenization}

To generate virtual cards that can be tokenized, the real card number (RCN) must first be enabled to support In Control for Mobile Payments. The following sequence diagram outlines the API flow:
Diagram generate-virtual-cards

1. A Business Payment Controls API user registers a real card using the `POST /real-card-accounts API`.  
   Payload must have the following parameter settings:  
   `authorizationControlsEnabled` set to **True**
2. A Business Payment Controls API user creates a funding source linked to the previously created real card using the `POST /fundingsource API`.  
   Payload must have the following parameter settings:  
   `VCNCreationEnabled` set to **True**   
   `authorizationControlsEnabled` set to **True**
3. A Business Payment Controls API user creates a control against the funding source using the `POST /funding-sources/{funding_source_guid}/controls API`. Tip: This is a required call to enable VCN Tokenization. Even if you do not plan to implement real card controls this step must be completed for RCNs setup for ICMP.

Mastercard recommends the use of an **Approve All control** as per the following:

<br />

* JSON

```JSON
{
  "inControlRules": [
    {
      "action": "APPROVE",
      "alias": "Approve All",
      "transactionLimits": [
        {
          "amount": 0,
          "negate": true
        }
      ]
    }
  ]
}
```

The RCN will now be setup for to support VCN Tokenization.

<br />

## Creating a virtual card that can be tokenized {#creating-a-virtual-card-that-can-be-tokenized}

Note: To enable tokenization, contact your Mastercard representative or [Get Help](https://developer.mastercard.com/in-control-for-mobile-payments/documentation/support/#get-help) from commercial support. Diagram 01-tokenize-vcn

1. A Business Payment Controls API user creates a virtual card with controls using `POST/virtual-card-accounts`.
2. Business Payment Controls confirms to the API user that the VCN is successfully created.
3. When the card is successfully created, the API user registers the end user and the card to be linked to the end user using `POST/virtual-card-accounts/{account_guid}/end-user`.
4. Business Payment Controls submits a request to ICMP to create the end user and link the virtual card.
5. ICMP confirms to Business Payment Controls that the end user is created.
6. ICMP confirms to Business Payment Controls that the virtual card is assigned to the end user.
7. Business Payment Controls confirms to the API user that the end user is created and virtual card details are linked to the end user.
8. Business Payment Controls API user sends the virtual card details to the end user.

Note: An end-user can be registered only if a virtual card has been already created. When registering an end-user, the following attributes are mandatory:

* `first name` - The first name of the virtual card holder
* `last name` - The last name of the virtual card holder
* `phone` - The phone number of the virtual card holder (`+` at the beginning is required)
* `email` - The email address of the virtual card holder

For details on the token manual provisioning flow, refer to [Token manual-provisioning](https://developer.mastercard.com/in-control-for-mobile-payments/documentation/use-cases/manual-provision/#token-manual-provisioning).

## Retrieve end user contact details for a tokenized VCN {#retrieve-end-user-contact-details-for-a-tokenized-vcn}

Retrieve details for an existing provisioned virtual card account. Retrieving end user contact details requires a previously created VCN and an end-user registered on that VCN.
Diagram 01-retrieve-end-user

1. A Business Payment Controls API user retrieves end user details by passing the virtual card GUID using `GET /virtual-card-accounts/{account_guid}/end-user`.
2. Business Payment Controls submits a request to ICMP to retrieve the end user details linked with the virtual card.
3. ICMP returns end user details to Business Payment Controls.
4. Business Payment Controls returns the end user details to the Business Payment Controls API user.

### Process to retrieve end user contact details {#process-to-retrieve-end-user-contact-details}


API Reference: `GET /virtual-card-accounts/{account_guid}/end-user`

The following attributes are returned by the API call:

* `first name` - The first name of the virtual card holder
* `last name` - The last name of the virtual card holder
* `phone` - The phone number of the virtual card holder (+ at the beginning is required)
* `email` - The email address of the virtual card holder

If no end user is previously registered on the specific virtual card number (VCN) or if no VCN was previously created, a 400 error is returned.

## Update end user contact details for a tokenized virtual card {#update-end-user-contact-details-for-a-tokenized-virtual-card}

Diagram 01-update-end-user

1. A Business Payment Controls API user passes updated end user details associated with a virtual card using `PUT/virtual-card-accounts/{account_guid}/end-user`.
2. Business Payment Controls sends a request to ICMP systems to update the end user details linked with the virtual card.
3. If the request is successful, the updated end user detail is passed back to Business Payment Controls.
4. The updated end user detail is passed back to the Business Payment Controls API user.


API Reference: `PUT /virtual-card-accounts/{account_guid}/end-user`

Updating end user contact details requires a VCN previously created and an end-user registered on the created VCN.

The following attributes can be updated:

* `first name` - The first name of the virtual card holder
* `last name` - The last name of the virtual card holder
* `phone` - The phone number of the virtual card holder (+ at the beginning is required)
* `email` - The email address of the virtual card holder

Once the end user attributes are updated, the API returns a successful 200 response.
If no end user is previously registered on the specific VCN or if no VCN was previously created, a 400 error is returned.