Skip to content

docs: clarify network token usage and PCI scope in card credentials#367

Open
jamesandersen wants to merge 1 commit intoUniversal-Commerce-Protocol:mainfrom
jamesandersen:docs/network-token-usage
Open

docs: clarify network token usage and PCI scope in card credentials#367
jamesandersen wants to merge 1 commit intoUniversal-Commerce-Protocol:mainfrom
jamesandersen:docs/network-token-usage

Conversation

@jamesandersen
Copy link
Copy Markdown
Contributor

@jamesandersen jamesandersen commented Apr 17, 2026

Summary

  • Add a Pre-Provisioned Network Tokens section to the tokenization guide, documenting the BYOT path where platforms present card network tokens directly (card_number_type: "network_token") without a tokenize/detokenize round-trip
  • Clarify PCI scope differences between FPAN and network token credential modes in the overview and card credential schema description
  • Add a network token credential example with cryptogram and eci_value

Split from #296 into a focused docs-only PR per reviewer feedback. TRID intentionally omitted per discussion in #296.

Type of change

  • Documentation update

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • cspell passes (added MDES to custom dictionary)
  • markdownlint passes

@jamesandersen
docs: clarify network token usage and PCI scope in card credentials
bdef773 
Add documentation for pre-provisioned network token usage and PCI scope
distinctions between FPAN and network token credential modes:

- Add "Pre-Provisioned Network Tokens" section to the tokenization guide
  covering the BYOT path where platforms present card network tokens
  directly as card_number_type: "network_token" without a
  tokenize/detokenize round-trip
- Add network token bullet to Platform PCI Scope in the overview
- Update card_credential.json description to distinguish PCI scope
  between fpan (full PCI DSS) and network_token (reduced scope)

References Universal-Commerce-Protocol#296 — split from the original card network token credential
PR into a focused docs-only change per reviewer feedback.
@jamesandersen jamesandersen requested review from a team as code owners April 17, 2026 07:05
@kmcduffie
Copy link
Copy Markdown

kmcduffie commented Apr 20, 2026

@jamesandersen At a high level I think this makes sense. At the same time, I would like to avoid setting the UCP documentation in a way that it needs to be updated if PCI guidance changes. Would you be open to adjusting the language to reference the PCI guidance and do the right thing?

@kmcduffie kmcduffie self-assigned this Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kmcduffie kmcduffie Awaiting requested review from kmcduffie kmcduffie is a code owner automatically assigned from Universal-Commerce-Protocol/maintainers

@archrao archrao Awaiting requested review from archrao archrao is a code owner automatically assigned from Universal-Commerce-Protocol/maintainers

@wry-ry wry-ry Awaiting requested review from wry-ry wry-ry is a code owner automatically assigned from Universal-Commerce-Protocol/devops-maintainers

@nicholasjameshall nicholasjameshall Awaiting requested review from nicholasjameshall nicholasjameshall is a code owner automatically assigned from Universal-Commerce-Protocol/devops-maintainers

At least 2 approving reviews are required to merge this pull request.

Assignees

@kmcduffie kmcduffie

Labels

payments

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jamesandersen @kmcduffie @ptiper