Get card
Get Card Payment Info
This operation will respond with encrypted card payment info
POST
This is a web service designed to give the card payment information needed for doing e-commerce payments, meaning full PAN, cvc2/cvv2, expiry date. The
payload will be encrypted with an asymmetric public key, to enable end-to-end encryption to the card holder device. Only fields listed in the request ‘fields’
object will be returned. The caller is responsible of validating the integrity of the public key.
PCI DSS compliance
Processing payment information (PAN, expiry, CVC2/CVV2) is controlled with strict compliance regulations by the card schemes. There are multiple ways to access the card payment information in Enfuce’s APIs depending on the client solution, and whether the client is a card schema member themselves and therefore responsible for compliance. The least complex way to take this functionality into use and keep your own systems outside the PCI DSS scope is to use the Initiate card data retrieval ( see /v4/card//controlToken below in this document). With that endpoint, the sensitive data is transported end-to-end between Enfuce’s service and the card-holder device, which keeps the client’s back-end systems outside of PCI DSS scope. The alternative shown here (Get Card Payment Info) relies on that the client is responsible for PCI DSS compliance themselves to the card schema.Example
Path Parameters
The card id for given card
Query Parameters
The audit user to log the request
Body
application/json
Request information needed to encrypt the card payment info
The body is of type object.
Response
200
application/json
Successful lookup and encryption of the card payment info.
The response is of type object.
Previous
Initiate card data retrievalEndpoint to initiate retrieval of card data. This will enable the end user make e-commerce transactions without
needing access to a plastic card. This means that the end user will get access to card number (PAN), expiry
date and CVC2/CVV2. This operation will generate an access token used to view the card data, enabling end users
to access their card data through their own devices, via app or web interface.
Supporting the possibility to copy the card data to the devices clipboard should be examined with caution.
The data lifespan and the access to the device clipboards varies between operating systems which introduces
risk. So while recognising that the possibility to copy the card data can improve end-user experience,
the potential increased risk of such a feature should be considered.
### Process description
1. End user request to see the card data (Pan number, exp. date and CVV) through its own devices, via app or
web interface.
2. The end user request triggers a request to Enfuce Card API (/v4/card/{cardId}/controlToken)
* The request will fail if cardId is not valid.
* Besides cardId, no additional validation is done. This means that Enfuce will not validate open-to-buy,
card status or usage limiters of the card when responding to request. In order to validate if a purchase
can be done with card data in question, separate API calls should be done to retrieve real time status
of card and it´s balance.
3. The successful response from this endpoint returns a token and two URLs
* Note the token is valid for 30 seconds which is the deadline for the end user device to make
the POST call to retrieve the HTML snapshot
4. The end users device is instructed to access the returned URL to view the card data
* Mobile app retrieves the HTML snapshot with card data by executing a POST call to the cardDataUrl
with the content of the token in a form field named token.
* Desktop browser opens iframe to cardDataFrameUrl with query parameter _key_. Key needs to agreed with
Enfuce beforehand. After that is loaded, parent page makes window.postMessage() call to the iframe.
Posted message object contains field _operation_ with value _view-pan_ and field _token_. Example:
```javascript
iframe.addEventListener('load', () => {
iframe.contentWindow.postMessage({operation: 'view-pan', token}, cardDataFrameUrl);
})
```
5. Enfuce responds with a HTML snapshot containing the card data.
* The request will fail if the token is not valid.
6. End user sees card data on device and can utilise it to make a purchase.
### PCI and security considerations
The service is designed to avoid exposure of sensitive, PCI categorised data to the web/app back-end,
therefore the card data is sent directly from the service endpoint to the end users device. The functionality
is developed, assessed, and certified for PCI DSS. PCI DSS regulations are detailed, but highlighting
a few that have impact on the this functionality:
* Card data remains encrypted in transport.
* No card data is stored in the process.
* The software is code reviewed.
* The publicly exposed endpoint is protected by a web application firewall.
The end user device will not fall within PCI scope, as it will not have access, be connected to or be able
to impact Enfuce system where the card data resides. In other words, the device displaying the card data does
not access the data itself, rather the content is rendered inside browser widget (Webview or Iframe).
Enfuce recommendations for end user app development:
* The app and the related back-end should ensure that the user is strongly authenticated (SCA) before being
able to view the card data. It is recommended, that each view is preceded by an SCA event, and this should be
done for every view event.
* The app must show the card data for only the time needed for the user to use this data and it is recommended
that there is a timeout of 1 minute until the card holder data view is automatically closed for the user.
* The app developers need to take necessary precautions to stop other apps or processes to access or interact
with the card data view.
* The app developers need to ensure that the communication between the app and the related back-end is done
in an authenticated and encrypted session.
Next