A token is a unique string ID that references stored customer information (Wallet) or a customer's stored payment information (such as a credit card or an echeck). Tokens provide customers convenient, secure access to their billing, shipping, and payment information, making the checkout process faster and easier. For merchants, tokens provide a convenient method of collecting scheduled recurring payments.

PCI Compliance Requirements for Tokens

Merchants may choose to control their own token deployment model or use a tokenization service provider (TSP) like Forte to deploy a tokenization solution. Regardless of who controls the tokenization solution, it must adhere to the following PCI DSS requirements.

The tokenization solution

Forte's Tokenization Solution

The Forte platform supports tokens for customer (Wallet), payment ("paymethod"), and address data.

Customer Tokens (Wallets)

Customer tokens (Wallet) reference the following stored information:

Paymethod Tokens

Paymethod tokens reference the following stored information within a permanent token (for recurring transactions) or a one-time-use token (for credit card transactions only):


NOTE: Paymethod tokens are associated with Customer Tokens when they're created. However, if no Customer Token is associated with a Paymethod Token when created, the Paymethod Token becomes clientless.

Address Tokens

Address tokens reference the following stored information:

Merchants can create customer and payment tokens in both Forte Checkout and the API web services.

Creating Tokens in Checkout

To create a token in Checkout, merchants must pass the following parameters in their button code:


Forte returns the customer and payment tokens to the merchant in the callback message like the one displayed below:


Creating Tokens Via Web Services

To create a token via web services, merchants make a POST calls to one or both of the following endpoints:

The REST service creates the tokens and sends the values back to the merchant in a response call.

Token Compatibility

Tokens created in Forte Checkout or with Forte's RESTful web services are not compatible with products like Virtual Terminal, SWP, or Batch Transmission.

Token Sharing

Forte supports two models for sharing tokens:

  1. Sharing tokens across a Merchant’s Locations
  2. Sharing a parent Account’s tokens with a set of children Accounts (and corresponding Locations).


Method 1, sharing tokens across the Locations for a Merchant’s Account, works out-of-the-box with no additional setup required. Method 2, sharing a parent Account’s tokens with a set of children Accounts, requires a Partner relationship with Forte. We will need to provision you a special Partner Account where you will store the tokens that you intend to share with your children Merchant Accounts.

Method 1: Cross-Location Sharing

Merchants who have multiple Locations within their Account can use Cross-Location token sharing to share customer and payment information across each of their Locations. For example, a Merchant who is a national gym wants its members to be able to pay for goods and services at any of its locations without the need to re-capture payment information, which the gym already has tokenized and stored securely. With Cross-Location token sharing, any member can walk into any Location of the gym and have the exact same customer experience—whether they are in for a quick workout or if they need to purchase some incidentals that they may have left behind while traveling.

Method 2: Child Account Sharing

With this method, companies that operate a marketplace or act as an aggregator may share their stored customer and payment information with a multitude of sellers who are set up with their own processing Merchant Account. In this scenario, Forte sets up a partner with a Partner Account and all of the partner’s sub-merchants are set up immediately below the partner within a hierarchy as “child” Merchant Accounts. The Partner can now initiate Transactions to the child Merchant Accounts using the customer data that Forte stores at the Partner or “parent” level. NOTE: API access must be set at the Partner level in order to access data stored at the Partner level and initiate Transactions using the data that is tokenized at the Partner level.