Nelnet Payment Services (NPS) provides Payment Credential Lifecycle Management to automatically maintain and update stored payment credentials across multiple payment types.
This capability reduces payment failures, improves authorization rates, and removes operational burden from merchants by transparently handling credential changes behind the scenes.
It applies to:
- Credit cards
- Network tokens
- Apple Pay
- PayPal and Venmo
- ACH accounts (returns and NOCs)
All updates are handled by NPS using the Tokenization Service. Client-facing tokens remain stable.
Tokens stay the same. The underlying payment credentials are updated automatically while retaining full history.
Merchants and partners always reference the same token when processing payments.
NPS updates the underlying credential as changes are received from networks or banks.
Clients do not control these updates and do not need to opt in per transaction.
Payment Credential Lifecycle Management currently supports:
- Credit cards
- Network tokens
- Visa network tokens (merchants processing with TSYS)
- Mastercard network tokens (merchants processing with Worldpay)
- Apple Pay (merchants processing with TSYS)
- PayPal and Venmo
- ACH accounts
- Returns
- Notifications of Change (NOCs)
Additional networks and payment types may be added over time.
For eligible merchants, NPS may automatically replace stored card credentials with network tokens.
- This process is automatic and transparent
- Merchants cannot enable, disable, or control network token usage
- The client-facing token does not change
This improves:
- Authorization success rates
- Card lifecycle continuity
- Network compliance
- The same token value is always used
- Payment responses include:
- Token last four
- Token type used (PAN, NETWORK_TOKEN)
These fields are returned in the Payments API response.
Wallet-based payment methods also participate in lifecycle management.
- Credential updates are handled by the network or wallet provider
- NPS maintains token validity and usability
- No merchant action is required
Tokens remain stable even as underlying wallet credentials evolve.
ACH lifecycle management focuses on bank-driven updates and restrictions.
- ACH transactions may be returned after settlement
- Returns include reason codes (R-codes)
- Some R-codes indicate:
- Insufficient funds (NSF)
- Account closed
- Account restricted to certain transaction types
NPS enforces these restrictions automatically to prevent invalid future transactions.
An ACH Notification of Change (NOC) indicates updated bank account information, such as:
- New routing number
- New account number
- Account type changes
When a NOC is received, NPS updates the token automatically.
- The token is updated with the new account details
- The token value does not change
- Future transactions automatically use the updated information.
If you process ACH without tokens, NPS will automatically identify when you've supplied an outdated ACH account, transparently swap out to the correct ACH account, and provide information in the payment response about the new ACH account.
Merchants and partners may subscribe to payment credential lifecycle events using the OSI Push Notification Service.
Subscriptions are highly recommended but not required.
Subscriptions are configured in the OSI Portal and may be delivered via:
- Webhook
Subscriptions may be created at the platform or merchant level.
When subscribed via email:
- The recipient receives an email indicating a credential update occurred
- The email includes a link to view updated account details for the affected token
- Details are accessed securely through the portal
Webhook subscriptions deliver events via HTTP POST to merchant or partner systems.
All lifecycle events use a standardized event format.
{
"eventType": "Payment Credential Updated",
"sourceApplicationName": "tokenization-service",
"entityId": "123456",
"createDateTime": "2026-01-08T10:30:00.000Z",
"payload": {},
"notificationMessageId": "37be76e7-2456-4ec4-9e42-550228ded064",
"status": "Posted",
"merchantId": "merchant_123"
}The payload does not include updated credential data. It only indicates that a change occurred.
If a client requires updated credential details (such as last four digits or expiration date), they may retrieve them using the Tokenization API.
GET https://api.nelnetpay.com/tokenization/{token}/details
Authorization: Bearer <JWT>This endpoint returns:
- Token metadata
- Updated account or card details
- Current credential status
- Clients cannot control credential updates
- Clients cannot disable network tokenization
- Clients can observe changes via notifications
- Clients can retrieve updated details when needed
- Higher authorization success rates
- Fewer failed payments due to stale credentials
- Reduced operational overhead
- Consistent token usage across payment types
- Transparent lifecycle management
- Payment Credential Lifecycle Management keeps tokens usable over time
- Tokens remain stable while credentials are updated
- Network tokens are applied automatically when eligible
- ACH returns and NOCs are enforced and processed automatically
- Optional notifications keep merchants informed
- Updated details can be retrieved via API when required