# Shared Content - Add Card Tokenization Steps source: https://developer.mastercard.com/mdes-digital-enablement/documentation/use-cases/add-card-steps-shared-content/index.md #### Add Card Tokenization Steps: {#add-card-tokenization-steps} **NOTE:** All user interface examples are illustrative. 1. Once consumer enters the card Account data, formulate the Tokenize request - Account PAN and expiry month and year (if the card has an expiry date) are mandatory, CVC2 is recommended to Add Card Tokenization; all other fields are optional. NOTE: Optional fields are used by the card issuer to decide whether to approve or decline tokenization for the card. You can include additional information in the optional **decisioningData** object to support the issuer's decision making process. 2. Combine the card data in step 1 with the **source** parameter, which must be set to **CARD_ADDED_MANUALLY** in this case, to create the JSON **fundingAccountData** object which will include the card data; see the first code sample below. 3. Make a **Tokenize** request with the **fundingAccountData** object. Supply **taskId** , **tokenRequestorId** (unique to you as a merchant), a **requestId** (unique for each request), and **tokenType** = CLOUD. The **TaskID** can be used to monitor tokenization progress as tokens are provisioned and then activated on the MDES platform after the response in step 6 below 4. Receive the response with the following data: **decision** (tokenization decision), **accountPanSuffix** (the last four digits of the Account PAN), **tokenPanSuffix** (the last four digits of the Token), **tokenExpiry** (the expiry date in mmyy format), and a **tokenUniqueReference** (TUR) which uniquely identifies the token, and **tokenDetails** (tokenNumber, expiryMonth, expiryYear, dataValidUntilTimestamp, and PAR) . 5. If the tokenization request is not declined, associate the active token and **tokenUniqueReference** to the consumer's profile and the last four digits of the Account PAN. After the tokenize response, tokens are active and are provisioned within the MDES platform. Optionally, you can use the last four digits of the Account PAN from step 2 to represent the card details or make **Get Asset** requests using the Asset ID values returned in the **productConfig** object to fetch, cache, and display card and issuer art, etc. See [Displaying Tokenized Account PANs](https://developer.mastercard.com/mdes-digital-enablement/documentation/use-cases/add-card-steps-shared-content/index.md#display-payment-info) for details. 6. If MDES returns a decline decision in the previous step, you will not be able to tokenize the card and will need to try tokenization later based on the error code. 7. After receiving the Tokenize response, an active token has been provisioned. You could also update your user interface to show this Account PAN is now available for use in a payment. Additionally, you could proceed to make a **Transact** request to obtain the token and cryptogram needed for a payment authorization request. See [Making Payments with Tokenized Account PANs](https://developer.mastercard.com/mdes-digital-enablement/documentation/use-cases/add-card-steps-shared-content/index.md#making-payments) and [Storing Cryptograms](https://developer.mastercard.com/mdes-digital-enablement/documentation/use-cases/add-card-steps-shared-content/index.md#storing-cryptograms) for details. **API Flow for Adding a Card** Diagram tokenization-new-card-add **NOTE:** * Currently, MDES for merchants creates a token if the issuer tokenization decision is either APPROVED or REQUIRE_ADDITIONAL_AUTHENTICATION. At this time, your system may handle these responses in the same manner. You may also receive an **authenticationMethods** object, which you can ignore. * The sample payload loaded from the OpenAPI configuration will contain a superset of all the possible fields. As some of these fields are conditional use the following trimmed request sample to get started. You can then add additional parameters as required. * JSON ```JSON { "cardAccountData": { "accountNumber": "5412345678901234", "expiryMonth": "12", "expiryYear": "19" }, "accountHolderData": { "accountHolderName": "John Doe", "consumerIdentifier": "", "accountHolderAddress": { "line1": "100 1st Street", "line2": "Apt. 4B", "city": "St. Louis", "countrySubdivision": "MO", "postalCode": "61000", "country": "USA" } } "source": "ACCOUNT_ON_FILE" } ``` * JSON ```JSON "fundingAccountInfo" : { "encryptedPayload" : { "encryptedData":"4545433044323232363739304532433610DE1D1461475BEB6D815F31764DDC20298BD779FBE37EE5AB3CBDA9F9825E1DDE321469537FE461E824AA55BA67BF6A", "publicKeyFingerprint" : "4c4ead5927f0df8117f178eea9308daa58e27c2b", "encryptedKey" : "A1B2C3D4E5F6112233445566", "oaepHashingAlgorithm" : "SHA512" } } ``` **NOTE:** You are required to acknowledge **Notify Token Updated** requests. To minimize network traffic, you should use **Notify Token Updated** requests to monitor and keep a local copy of token state, rather than repeatedly polling MDES using **Get Token** requests. **NOTE:** You will need to decrypt the **EncryptedPayload.encryptedData** parameter in the **Notify Token Updated** request. The encrypted data contains an array of token objects (in this case just a single token) containing the updated status of each token and any other changes to the token or associated payment account, such as changes to card art, expiry date, and last 4 digits of the Account PAN. The decryption process is the reverse of the encryption process detailed in steps 3 and 4 above, but using the **private** key from the RSA wrapped **decryption** key pair.