When a user makes a purchase at a merchant, the merchant requests a token from the user. This could be a one-time token, which can only be redeemed once, or a recurring token, which has “card-on-file” properties, allowing the merchant to redeem against it multiple times. The request goes through the Token layer at the user’s bank, which
confirms the credentials of the merchant and forwards the token for user approval.
The user receives the token request and, in his chosen device (e.g. mobile phone,
computer, tablet), he can approve or deny the request. When approved, the private key in the user’s device is used to digitally sign the request. Once the user approves it, the request is returned back to the user’s bank, which verifies the user’s digital signature, and also digitally signs it to confirm everything is correct.
The digitally signed and approved token is then returned to the merchant, which can now redeem against it, as long as the redemption is within the rules of the token.
Once the merchant redeems from the token, a payment request is made. The bank receives the token ID and payment request, checks all signatures and whether the request is within the token rules constraints.
If the token rules are complied with and the signature is valid, money is moved through legacy rails to the merchant’s bank. If both banks are Token-enabled, the settlement can be done through Token instead of legacy rails, making it instant.