# Updated May 2026 Pre-Release Notes source: https://developer.mastercard.com/mdes-pre-digitization/documentation/pre-release-notes/prereleasenote_token_lienage_may26/index.md ## Release Change Summary {#release-change-summary} MDES is enhancing the Pre-Digitization API to assist issuers in making better-informed fraud management decisions, thereby providing improved support to cardholders. As part of this change, MDES will allow issuers to: * Receive token details of the source token that initiated provisioning. * Receive provisioning context for the tokenization request. * Provide a decline reason code when the tokenization decision is declined. ### Change Log {#change-log} * Added provisioning context details to provide additional FPAN source information. ##### Impacted APIs: {#impacted-apis} * Authorize Service (AS) ## Release Timeline {#release-timeline} * MTF: 6 May 2026 * Production: 10 June 2026 ### Impacted Market {#impacted-market} * Availability: Global ## Change 1 - Introduction of Source Provisioning Data {#change-1---introduction-of-source-provisioning-data} The Authorize service will be enhanced as follows: * A new complex object `sourceProvisioningData` will be added to the request. * A new parameter `sourceTokenNumber` will be included in the `fundingAccountData` object. * A new parameter `provisioningContext` will be added to the request. Note: MDES does not retain any information about the source token. ### 1.1 Complex object Source Provisioning Data {#11-complex-object-source-provisioning-data} | Field and Description | Data Type | Min Length | Max Length | Required | |-------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|---------------------------------------------------------------------------------------------------------------------| | **sourceProvisioningData** Data related to the source token initiating the provisioning request of another token. | Object | NA | NA | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL or tokenization is initiated through Token Connect. | **Source Provisioning Data parameters** | Field and Description | Data Type | Min Length | Max Length | Required | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------------------------------------------------------------------------| | **tokenUniqueReference** A unique reference assigned after the allocation of a token. It is used to identify the token for the lifetime duration. | String | 1 | 64 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenRequestorId** A unique identifier for a provisioned source token. | String | 11 | 11 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL. | | **paymentAppInstanceId** The identifier of the payment app instance within a device that will be provisioned with a token. Only present when supplied by a wallet provider. | String | 1 | 48 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenType** The type of token requested for the digitization. Valid values are: * EMBEDDED_SE: Embedded Secure Element * CLOUD: MasterCard Cloud-Based Payments * STATIC: Static token | String | 1 | 16 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | | **isoDeviceType** The two digit device type provided on the ISO messages that the source token has been provisioned. | String | 1 | 2 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **tokenAssuranceLevel** The assurance level assigned to the token. | Number | 1 | 2 | Conditional -- Optionally present when source is EXISTING_TOKEN_CREDENTIAL | | **source** The source of the account information of the referenced token. Must be one of the following: * ACCOUNT_ON_FILE: Source was an existing account on file. * ACCOUNT_ADDED_MANUALLY: Source was a new account entered manually by the account holder. * ACCOUNT_ADDED_VIA_APPLICATION: Source was a new account added by another application (for example, Issuer banking app). * EXISTING_TOKEN_CREDENTIAL: Source was an existing token. * ACCOUNT_ADDED_VIA_BROWSER: Source was a new account added by browser form fill. * ACCOUNT_ADDED_VIA_CHIP_DATA: Source was a new account captured by chip data. * EXTERNAL_TOKEN_CREDENTIAL: Source was external account tokens provided for migration. | String | 24 | 36 | No | | **tokenActivatedDateTime** Source token activation date and time. Expressed in ISO 8601 extended format as one of the following: * YYYY-MM-DDThh:mm:ss\[.sss\]Z * YYYY-MM-DDThh:mm:ss\[.sss\]±hh:mm Where \[.sss\] is optional and can be 1 to 3 digits. | String | 20 | 29 | Conditional -- Present when source is EXISTING_TOKEN_CREDENTIAL | ### 1.2 Source Token Number {#12-source-token-number} | Field and Description | Data Type | Min Length | Max Length | Required | |------------------------------------------------------------------------------------------|-----------|------------|------------|-----------------------------------------------------------------------------------------------------------------------------------| | **sourceTokenNumber** The source token account number used for the provisioning request. | String | 12 | 19 | Conditional -- Required when a token is used to initiate the provisioning of another token and sourceProvisioningData is present. | ### 1.3 Provisioning Context {#13-provisioning-context} A new optional parameter is available in the request to support issuer risk assessment and decisioning. | Field and Description | Data Type | Min Length | Max Length | Required | |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|----------| | **provisioningContext** Indicates the provisioning context which is applicable to device wallets. Possible values: * ADP (Authorized Device Provisioning): The wallet authenticates the user on both devices before initiating the tokenization request. The wallet shares existing token information as account data. * MDP (Multi Device Provisioning): After provisioning to one device, the cardholder requests to push the same account to additional devices. The wallet shares existing token information as account data.
**Note:** ADP and MDP values are available when the account source is EXISTING_TOKEN_CREDENTIAL. | String | 3 | 10 | No | For details, refer the announcement [Provisioning Context](https://trc-techresource.mastercard.com/r/bundle/m_an12761_en-us/page/d/en-US/ymn7085930432344.html) ## Change 2 - Introduction of Decline Reason Code {#change-2---introduction-of-decline-reason-code} A new parameter will be included in the response, allowing issuers to provide the specific reason why a provisioning request was declined which helps offer clearer insight into declined cases. | Field and Description | Data Type | Min Length | Max Length | Required | |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------|------------|------------|---------------------------------------------------------------------------------------------------| | **declineReasonCode** Reason for declining a tokenization request as described below: * LOST: The card has been lost. * EXPIRED: The card is expired. * RESTRICTED: The account or card is currently restricted. * SEC_VIOLATION: A security violation has been detected. * CRYPTO_FAIL: Cryptogram validation for the account failed. * UNACCEPTABLE_PIN: The entered PIN is not acceptable. * EXCEEDS_PIN_TRIES: The maximum number of PIN attempts has been exceeded. * STOLEN: The card has been reported stolen. * INVAL_CARD: The card is invalid. * CLOSED ACCOUNT: The card is closed. * INVAL_ACCT: The account is invalid. * INVAL_PIN: The PIN entered is invalid. * RCVR_NOTPERM: Token Authorization is not permitted to the issuer. * SNDR_NOTPERM: The token requestor is not permitted. * EXCEEDS_CNT: Validation attempts exceeded. * DO_NOT_HONOR: None of the above. | String | 1 | 64 | Optional - Mastercard strongly recommends that you share this data when the decision is declined. | ### Decline Reason Codes Mapping Information {#decline-reason-codes-mapping-information} | Reason Code | Description | Corresponding Auth Response Code | |-------------------|-------------------------------------------------------|----------------------------------| | EXPIRED | The card is expired. | 54 | | RESTRICTED | The account or card is currently restricted. | 62 | | SEC_VIOLATION | A security violation has been detected. | 63 | | CRYPTO_FAIL | Cryptogram validation for the account failed. | 88 | | UNACCEPTABLE_PIN | The entered PIN is not acceptable. | 89 | | EXCEEDS_PIN_TRIES | The maximum number of PIN attempts has been exceeded. | 75 | | STOLEN | The card has been reported stolen. | 43 | | INVAL_CARD | The card is invalid. | 14 | | CLOSED ACCOUNT | The account is closed. | 46 | | INVAL_ACCT | The account is invalid. | 78 | | INVAL_PIN | The PIN entered is invalid. | 55 | | RCVR_NOTPERM | Token authorization is not permitted to the issuer. | 57 | | SNDR_NOTPERM | The token requestor is not permitted. | 58 | | EXCEEDS_CNT | Validation attempts exceeded. | 65 | | DO_NOT_HONOR | None of the above. | 05 | API Reference: `GET /authorizeService` ## Impact {#impact} ### Change 1 {#change-1} This change will be available to issuers who are integrated with Authorize Service API. To opt-in, contact your Mastercard representative. ### Change 2 {#change-2} This change is optional. However, Mastercard recommends that all issuers provide a decline reason code when the tokenization request is declined. ### Personal data \& Privacy Note {#personal-data--privacy-note} Issuers are reminded that the information presented via the Pre-Digitization API includes personal data which is subject to data privacy laws. Issuers must satisfy themselves that the processing of such personal data is compliant with applicable privacy laws.