Hi @Beth,  Thank you for reaching out. An agent will get back to you as soon as possible. Until then, if any community member has information that may be helpful, feel free to reply in this thread.

Hey @Beth,

In the Visa Token Service (VTS) specification, the Approve Provisioning API indeed involves the use of encrypted data objects. According to the VTS documentation, certain types of information must be encrypted to ensure security and compliance.

The specific details you mentioned are:

1. Token Information: This typically includes details about the token being provisioned, such as the token reference ID, token status, and token expiry date.
2. Device Information: This includes data about the device where the token will be provisioned, such as device type, device ID, and device capabilities.

For the Approve Provisioning API, the documentation specifies that the encrypted data includes only Cardholder Information and Risk Information. This means that:

1. Token Information and Device Information are not part of the encrypted data for this API. These should be included in the root payload of the API request rather than within the encrypted data object.
2. If a structure is recognized as part of the encrypted data within the VTS service, it should always be treated as such and you should expect to receive it in an encrypted format, necessitating decryption on your end. However, since the Token Information and Device Information are not listed as part of the encrypted data for the Approve Provisioning API, these should not be encrypted and should be mapped as part of the root payload.

In conclusion, for the Approve Provisioning API, you should include the Token Information and Device Information as part of the root payload and not within the encrypted data object. Always refer to the specific API documentation for the most accurate and detailed information.