Solidgate logo in black and white.

Mastercard Digital Enablement Service

What is Mastercard Digital Enablement Service (MDES)?

Mastercard Digital Enablement Service (MDES) is Mastercard's tokenization platform that replaces a card's primary account number (PAN) with a unique digital token. The token, not the real card number, is what passes through the network for transaction , which keeps sensitive credentials out of merchant and device systems.
MDES applies to payment credentials so a Mastercard can pay across many digital surfaces without exposing the underlying card. It backs a range of experiences, including , in-app purchases, provisioning to mobile , and card-on-file online checkouts. Visa runs an equivalent service, ; both implement the EMVCo payment tokenization framework.

Key facts

  • Operator: Mastercard. MDES is its network tokenization service, the counterpart to Visa Token Service.
  • What it replaces: the card's primary account number (PAN), swapped for a device- or merchant-specific token.
  • Standard: implements the EMVCo payment tokenization framework, the shared industry spec for network tokens.
  • Where it's used: mobile and wearable wallets, contactless taps, in-app purchases, and card-on-file online payments.
  • Not encryption: unlike , which reversibly scrambles the card number, a token has no mathematical link back to the PAN.
  • Per-transaction security: each payment carries a one-time cryptogram, so a stolen token can't be replayed.

How MDES works

Four parties take part in an MDES flow:
  • Token requestor – the wallet, app, or merchant asking for a token.
  • Issuer – the bank that approves the card for tokenization and authorizes payments.
  • MDES token vault – Mastercard's system that issues tokens and maps them back to real cards.
  • Cardholder – the person whose card is tokenized.
  1. Token request: A cardholder adds a Mastercard card to a wallet, app, or merchant account, and the token requestor asks MDES to tokenize the card.
  2. Identification and verification (ID&V): MDES and the issuer confirm the card and the requester are legitimate before a token is issued; higher-risk requests trigger an extra verification step.
  3. Token provisioning: MDES issues a token bound to that specific device, app, or merchant, and stores the mapping between the token and the real card number in its secure vault.
  4. Transaction: At payment, the device or merchant sends the token plus a one-time cryptogram instead of the card number.
  5. De-tokenization and authorization: MDES maps the token back to the real PAN, validates the cryptogram, and forwards the request to the for .

Why it matters

Because the merchant or device never stores the real card number, a breach of their systems exposes tokens that are useless elsewhere – a token bound to one merchant or device can't be replayed against another. That shrinks the value of stolen data and narrows the scope of card data a business has to protect.
Network tokens also stay current. When a card is reissued or its expiry date changes, MDES updates the token behind the scenes, so saved cards and subscriptions keep working without the cardholder re-entering details. For , that means fewer declines on stored credentials.
Issuers also tend to treat tokenized payments as lower risk, because the token arrives with verified provisioning data and a cryptogram the issuer can check. That added confidence can lift authorization rates on tokenized transactions compared with payments sent on a raw card number.

Common issues

  • Provisioning friction: when ID&V can't automatically confirm a card, the cardholder is sent through a step-up check, such as a one-time passcode, which adds friction to wallet enrollment.
  • Issuer and region coverage: tokenization depends on the issuer supporting MDES, so coverage varies by bank and market.
  • Token lifecycle management: tokens are bound to a device, app, or merchant, so a lost device or a change of merchant requires re-provisioning rather than reuse.

Related terms