Go Back Up

Ximedes Embedded Payments


Improving Consumer Experiences

Embedded payments are seamless. They are so well integrated in the complete consumer experience that you hardly notice that a payment is made. The prime example is Uber. When you leave the taxi the fare is paid directly from the App, no need to switch to another App or perform some complex actions. The oldest example of embedded payments is provided by Amazon. Their "one-click payment"  allows goods to literally be paid with one click straight from the Amazon website or App. Because they make the consumers' life easier, embedded payments boost conversion rates.

Banks and PSPs can enable embedded payments for merchants if they provide tokenization services directly on behalf of their merchants. On this page we show how Ximedes can help you become an On Behalf Of Tokenization service and help your merchants in an unprecedented way to become more successful.


What powers embedded payments?

01-Card On File-2


The most common way for merchants to enable embedded payments used to be storing the consumers' card details on file. This requires the consumers to enter their card details at a merchant once. Then the card details are stored in a secure, PCI-compliant environment. Storing card details requires comprehensive security measures required by PCI regulations. That is understandable, as anybody who can lay their hands on these card details can commit fraud and initiate payments on behalf of the card owner.

02-Card On File

Triggering Payments

When the consumer triggers a payment (e.g. by exiting a taxi, or by clicking a button) these card details are retrieved from the PCI-compliant vault by the merchant, and a new payment is initiated using these card details. That explains why the consumer does not have to re-enter any payment details, making the payment experience faster and much more pleasant.



Then tokenization was introduced by card companies such as MasterCard and VISA. A merchant using tokenization gets the card details from the consumer, and sends them to a special service in the card network to tokenize the card. The sensitive card data is replaced by a substitute value, a token, that can be stored on file quite safely. 

Tokens that are created by the services of Mastercard, VISA or another card brand are called network tokens. In practice merchants that hash or encrypt the card data in their own proprietary way also call the result a token.  

But a network token has a unique property. The merchant can initiate a payment with a network token as if it were normal card data. However, only the merchant that created the network token can use it to initiate a payment. A fraudster that lays their hand on a token and tries to use it, will not be successful.


How Banks and PSPs can enable Embedded Payments


Offer Tokenization Services

Large merchants such as Uber and Amazon have no trouble setting up their own tokenization services and adding their custom checkout flows on top.

For small merchants the situation is different. The investment to enroll into the MasterCard and VISA tokenization program is too time consuming and too costly.

As a bank or PSP you can help these smaller merchants by providing tokenization services for them. All the merchant has to do is connect to these services, provide a PAN and other card details, and get a token (or a reference to a token) which they can safely store in their systems. For merchants there should be no PCI DSS requirements, very little risk and the tokens remain valid even when the credit card expires. 

When the merchant wants to initiate a payment (merchant initiated transaction),  they simply provide the token or reference and an amount to trigger the payment.

The merchant decides when to initiate a new payment. It can be monthly, to charge for a subscription, it may be when the consumer clicks a "pay now" button, it may be when a consumer holds their phone close to a beacon. It's up to the merchant to embed the payment flow in their UX.

Tokenization services allow the merchant to embed the payment in any checkout flow, thus providing the consumer the perfect seamless experience.

Embedded Payment Page

Become a token service

How Ximedes helps banks and PSPs

If you want to become a token service and help merchants provide a seamless user experience Ximedes can help.

To become a token service, you must provide an API that can be used by merchants. The most important service in that API takes a PAN and other card details and returns a token, or more often a reference to the token. Actually, to lower the PCI burden on merchants, entering the PAN and other card data should happen on a page hosted by you as a bank.

The token or reference is subsequently returned by your API. Internally the calls to the relevant VISA or MasterCard services are made to generate the token.

Another principal API-endpoint takes the reference or token and subsequently initiates a card payment. This endpoint can be called by merchants periodically in case of a subscription, or when a certain event occurs (e.g. a button is pressed). 

Ximedes helps organizations to build this software, making sure it complies with PCI-DSS regulations and can be certified by the card brands.






Secure Remote Commerce


Mastercard and VISA also offer their own way of employing tokenized payments with click-to-pay, which is essentially a heir of previous solutions such as MasterPass Wallet.

Merchants can add a Click to pay button on their site, and when the consumer clicks it one of two things happen:

1. The consumer has never used Click To Pay before and is asked to provide their street address and payment details. These are saved at Mastercard or VISA.

2. The consumer has already provided their data to the card brands earlier. They can simply pay in just a few clicks, without providing any payment details or  other data. The address data is shared with the merchant, so the checkout process of the consumer becomes much shorter and more seamless, comparable perhaps to a PayPal flow.

Although Click to Pay is a huge leap forward, and quite easy to implement, it cannot offer the seamlessness of storing the tokenized PAN at the merchant or at the bank as discussed above, as consumers always have to confirm on the Click-to-pay page of the card brand.

What can banks do

Banks and PSPs can help make Click to Pay integration easier than it already is. The simplest way is to add a Click to Pay button to the hosted payment pages, but they can also make sure that their eComm plugins can accept address data from MasterCard and VISA.

Ximedes can help you build a Click to Pay integration layer.







Ready to Transform Your Business with Embedded Payments? We can help.