I am working for a client who has a legacy Server integration and make use of the Token system. The SagePay API shows they have 1583 saved Tokens however they only have 421 saved in their database – a huge discrepancy which I have been asked to investigate.
I think this is what has been happening:
- Customer decides to click the “Save your card details” checkbox on their website
- The POST is sent to SagePay containing “CreateToken=1&StoreToken=1”
- Customer gets redirected to SagePay and decides to pay by PayPal instead
- A Token gets created and the company gets charged for it even though it can’t ever be used
The Dev before me only saved the Token from the notification page only if the payment type used was Credit Card which makes sense. What nobody realised until now was that SagePay would create and save Tokens even if the customer paid with PayPal [?] Surely this shouldn’t be the case!
That means we have 1162 Tokens that we have simply lost control of. It is quite expensive to store so many Tokens and I have been asked to see if I can reduce the number. It is fairly easy to remove Tokens through the SagePay API, that is if you have the original Token! In this case, we don’t have all of them.
I have contacted SagePay support but they just referred me to the API which doesn’t solve the issue.
Will the Tokens we’ve lost control of simply naturally expire and delete?
Is there anything we can do to reduce the number of Tokens?
Thanks
2
Answers
There are two ways to create tokens:
PAYMENT
, ask SagePay to additionally tokenize the card details (so you can reuse them without needing to store the card details)TOKEN
request.If you are creating a token in a standalone
TOKEN
request, and then thereafter submitting aPAYMENT
using the previously tokenized details, the solution I would recommend is creating a token as part of aPAYMENT
(i.e one API request rather than two).If you are already creating the token as part of the
PAYMENT
, the only solution I could recommend is keeping track of tokens stored in your data store, and if they haven’t been used for any payments, have a scheduled job to remove these tokens (using theREMOVETOKEN
request).There seems to be a bug on submitting createToken=1 via Server, when the consumer selects Paypal – if you use the Reporting API to query such a useless token, the expiry returned is XXXX – which means it will never expire, so your client will be paying for it forever!
I’d contact Sage support if I were you and request a complete list of tokens that they hold, then use the API to query getTokenDetails on each, then discard those which are not usable / no longer active (via the REMOVETOKEN API call).