# May 2026 Pre-Release Notes source: https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_token_lienage_may26/index.md ## Release Change Summary {#release-change-summary} MDES is enhancing the Pre-Digitization API to assist issuers in making better-informed fraud management decisions, thereby providing improved support to cardholders. As part of this change, MDES will allow issuers to: * Receive token details of the source token that initiated provisioning. * Provide a decline reason code when the tokenization decision is declined. ##### Impacted APIs: {#impacted-apis} * Authorize Service (AS) ## Release Timeline {#release-timeline} * MTF: 8 April 2026 * Production: 13 May 2026 ### Impacted Market {#impacted-market} * Availability: Global ## Change 1 - Introduction of Source Provisioning Data {#change-1---introduction-of-source-provisioning-data} The Authorize service will be enhanced as follows: * A new complex object `sourceProvisioningData` will be added to the request. * A new parameter `sourceTokenNumber` will be included in the `fundingAccountData` object. Note: MDES does not retain any information about the source token. ### New Object and Parameters {#new-object-and-parameters} | Field and Description | Data Type | Min Length | Max Length | Required | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|---------------------------------------------------------------------------------------------------------------------| | **sourceProvisioningData** Data related to the source token initiating the provisioning request of another token. | Object | NA | NA | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL or tokenization is initiated through Token Connect. | | **tokenUniqueReference** A unique reference assigned after the allocation of a token. It is used to identify the token for the lifetime duration. | String | 1 | 64 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenRequestorId** A unique identifier for a provisioned source token. | String | 11 | 11 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL. | | **paymentAppInstanceId** The identifier of the payment app instance within a device that will be provisioned with a token. Only present when supplied by a wallet provider. | String | 1 | 48 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenType** The type of token requested for the digitization. Valid values are: * EMBEDDED_SE: Embedded Secure Element * CLOUD: MasterCard Cloud-Based Payments * STATIC: Static token | String | 1 | 16 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | | **isoDeviceType** The two digit device type provided on the ISO messages that the source token has been provisioned. | String | 1 | 2 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenAssuranceLevel** The assurance level assigned to the token. | Number | 1 | 2 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **source** The source of the account information of the referenced token. Must be one of the following: * ACCOUNT_ON_FILE: Source was an existing account on file. * ACCOUNT_ADDED_MANUALLY: Source was a new account entered manually by the account holder. * ACCOUNT_ADDED_VIA_APPLICATION: Source was a new account added by another application (for example, Issuer banking app). * EXISTING_TOKEN_CREDENTIAL: Source was an existing token. * ACCOUNT_ADDED_VIA_BROWSER: Source was a new account added by browser form fill. * ACCOUNT_ADDED_VIA_CHIP_DATA: Source was a new account captured by chip data. * EXTERNAL_TOKEN_CREDENTIAL: Source was external account tokens provided for migration. | String | 24 | 36 | No | | **tokenActivatedDateTime** Source token activation date and time. Expressed in ISO 8601 extended format as one of the following: * YYYY-MM-DDThh:mm:ss\[.sss\]Z * YYYY-MM-DDThh:mm:ss\[.sss\]±hh:mm Where \[.sss\] is optional and can be 1 to 3 digits. | String | 20 | 29 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | | **pushAccountReceipt** A receipt returned from a pushAccount request. It is used to retrieve financial account details. When valid, it includes a three character product prefix followed by a UUID in the format prefix-UUID. Prefix values are: * MCC: Mastercard Credit * DMC: Mastercard Debit * MSI: Maestro * PVL: Private Label | String | 1 | 64 | Conditional -- Present when a tokenization is initiated using Token Connect | ### New Parameter {#new-parameter} | Field and Description | Data Type | Min Length | Max Length | Required | |------------------------------------------------------------------------------------------|-----------|------------|------------|-----------------------------------------------------------------------------------------------------------------------------------| | **sourceTokenNumber** The source token account number used for the provisioning request. | String | 12 | 19 | Conditional -- Required when a token is used to initiate the provisioning of another token and sourceProvisioningData is present. | ## Change 2 - Introduction of Decline Reason Code {#change-2---introduction-of-decline-reason-code} A new parameter will be included in the response, allowing issuers to provide the specific reason why a provisioning request was declined which helps offer clearer insight into declined cases. | Field and Description | Data Type | Min Length | Max Length | Required | |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|---------------------------------------------------------------------------------------------------| | **declineReasonCode** Reason for declining a tokenization request as described below: * LOST: The card has been lost. * EXPIRED: The card is expired. * RESTRICTED: The account or card is currently restricted. * SEC_VIOLATION: A security violation has been detected. * CRYPTO_FAIL: Cryptogram validation for the account failed. * UNACCEPTABLE_PIN: The entered PIN is not acceptable. * EXCEEDS_PIN_TRIES: The maximum number of PIN attempts has been exceeded. * STOLEN: The card has been reported stolen. * INVAL_CARD: The card is invalid. * INVAL_ACCT: The account is invalid. * INVAL_PIN: The PIN entered is invalid. * RCVR_NOTPERM: The token requestor is not permitted. * EXCEEDS_CNT: Validation attempts exceeded. * OTHER: None of the above. | String | 1 | 64 | Optional - Mastercard strongly recommends that you share this data when the decision is declined. | API Reference: `GET /authorizeService` ## Impact {#impact} ### Change 1 {#change-1} This change will be available to issuers who are integrated with Authorize Service API. To opt-in, contact your Mastercard representative. ### Change 2 {#change-2} This change is optional. However, Mastercard recommends that all issuers provide a decline reason code when the tokenization request is declined. ### Personal data \& Privacy Note {#personal-data--privacy-note} Issuers are reminded that the information presented via the Pre-Digitization API includes personal data which is subject to data privacy laws. Issuers must satisfy themselves that the processing of such personal data is compliant with applicable privacy laws.