Secure Data Handling Options
To support issuers who may not be fully PCI-DSS compliant, we provide two secure methods for handling sensitive card data:
SDK Mode – A software development kit (SDK) is provided to issuers. The SDK manages sensitive data securely within the mobile application, ensuring that sensitive elements such as PAN, CVC, and card contract numbers are handled in a compliant way without the issuer directly processing or storing them.
RSA Key Mode – Instead of handling sensitive data directly, issuers can use an RSA key–based method. The issuer’s server acts as a proxy, never decrypting sensitive data. Sensitive fields are encrypted using a public RSA key generated by the cardholder’s mobile application, ensuring that only the app can decrypt and display the card data.
SDK
-
Set SDK dependencies to the project: copy the files to the project's libs.
-
Configure in the project's build.gradle
-
Setting up runtime dependencies
-
Call function
RSA Key Mode
Display Card Details to the Cardholder
This API is used to inquiry the PAN number and expiry date from the CMS for a specified card.
Request:
| Data Element | Field Name | Description | Format | Length | M/O | Remark | |
|---|---|---|---|---|---|---|---|
| 1 | Card Token | cardToken | Card Token | String | Maximum 19 characters | Required | |
| 2 | Card Expiry Date | expiryDate | Card Expiry Date | String | YYMM | Required | |
| 3 | Public Rsa Key | publicKey | Customer Public Rsa Key | String | Maximum 4096 character | Required | RSA Public Key |
Response:
| Data Element | Field Name | Description | Format | Length | M/O | Remark | |
|---|---|---|---|---|---|---|---|
| 1 | Card Token | cardToken | Card Token | String | Maximum 19 characters | Required | |
| 2 | Card Mask Number | cardNumber | Card Mask Number | String | Maximum 19 characters | Required | |
| 3 | Card Expiry Date | expiryDate | Card Expiry Date | String | YYMM | Required | |
| 4 | Embossed Name | embossName | Card Emboss Name Format:Last Name/First Name | String | Maximum 26 characters | Optional | |
| 5 | Encrypted Card Contract Number | encCardNumber | Encrypted Card Contract Number | String | Maximum 2048 characters | Required |
Retrieves a CVC2 for a card plastic
This API is used to retrieve a Card Verification Code (CVC2) for a given card plastic (card plastic exists also for a virtual card - is not always a physical card) from CMS.
Request:
| Data Element | Field Name | Description | Format | Length | M/O | Remark | |
|---|---|---|---|---|---|---|---|
| 1 | Card Token | cardToken | Card Token | String | Maximum 19 characters | Required | |
| 2 | Card Expiry Date | expiryDate | Card Expiry Date | String | YYMM | Required | |
| 3 | Public Rsa Key | publicKey | Customer Public Rsa Key | String | Maximum 4096 character | Required | RSA Public Key |
Response:
| Data Element | Field Name | Description | Format | Length | M/O | Remark | |
|---|---|---|---|---|---|---|---|
| 1 | Encrypted Card Verification Code | encCVV2 | Encrypted Card Verification Code | String | Maximum 4096 character | Required |