> ## Documentation Index
> Fetch the complete documentation index at: https://docs.enfuce.com/llms.txt
> Use this file to discover all available pages before exploring further.

> This operation will respond with encrypted card payment info

# Get Card Payment Info

This is a web service designed to give the card payment information needed for doing e-commerce payments, meaning full PAN, cvc2/cvv2, expiry date. The
payload will be encrypted with an asymmetric public key, to enable end-to-end encryption to the card holder device. Only fields listed in the request 'fields'
object will be returned. The caller is responsible of validating the integrity of the public key.

### PCI DSS compliance

Processing payment information (PAN, expiry, CVC2/CVV2) is controlled with strict compliance regulations by the
card schemes. There are multiple ways to access the card payment information in Enfuce's APIs depending on the
client solution, and whether the client is a card schema member themselves and therefore responsible for
compliance.

The least complex way to take this functionality into use and keep your own systems outside the PCI DSS scope is
to use the **Initiate card data retrieval** ( see /v4/card/{cardId}/controlToken below in this document).
With that endpoint, the sensitive data is transported end-to-end between Enfuce's service and the card-holder
device, which keeps the client's back-end systems outside of PCI DSS scope.

The alternative shown here (Get Card Payment Info) relies on that the client is responsible for PCI DSS compliance
themselves to the card schema.

### Example

```java theme={null}
// ...

import java.security.KeyFactory;
import java.security.PrivateKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import javax.crypto.Cipher;

// ...

// Example of how to decrypt an encrypted field
private String decrypt(String data, String privKeyPEM) throws Exception {
    // Prepare the key
    String privKeyString = privKeyPEM.replaceAll(\"\\\\n\", \"\").replace(\"-----BEGIN PRIVATE KEY-----\", \"\").replace(\"-----END PRIVATE KEY-----\", \"\");
    byte[] encodedKey = Base64.getDecoder().decode(privKeyString);
    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(encodedKey);
    KeyFactory kf = KeyFactory.getInstance(\"RSA\");
    PrivateKey privateKey = kf.generatePrivate(spec);

    // Prepare the decryption
    Cipher cipher = Cipher.getInstance(\"RSA/ECB/OAEPWithSHA-256AndMGF1Padding\");
    cipher.init(Cipher.DECRYPT_MODE, privateKey);

    // Prepare the data
    byte[] cryptogram = Base64.getDecoder().decode(data);
    
    // Decrypt
    byte[] decryptedBytes = cipher.doFinal(cryptogram);
    return new String(decryptedBytes);
}
```


## OpenAPI

````yaml card post /v3/{id}/encryptcardpaymentinfo
openapi: 3.0.3
info:
  description: >
    Card API have different endpoints for creating, editing and updating a card
    via different methods.


    Below in the picture is the basic flow of a card lifecycle. Note we don't
    restrict changes,

    so it is possible although not advisable e.g. to change card status from
    Card Lost to Card OK.


    ![ Card lifecycle
    ](https://enfuce-public-resources.s3.eu-central-1.amazonaws.com/public/card_lifecycle.svg)


    Below is a short summary of each status:

    <table>
      <tr>
        <th>Status name</th>
        <th>Description</th>
        <th>Authorisations rejected</th>
        <th>Clearing transactions posting blocked</th>
      <tr>
        <td>Card OK</td>
        <td>Card is open and in normal status. Card has to be in this status in order for it to be renewed.</td>
        <td>No</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card Blocked</td>
        <td>Temporary block on the card that will prevent approval of authorisations. Can be used instead of account level temporary block if target is to block only a specific card.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Suspected Fraud</td>
        <td>Temporary block on the card that will prevent approval of authorisations. Functionality the same as for "Card blocked", the different code allows to differentiate between the blocks.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card No Renewal</td>
        <td>Status set to prevent following card renewal. Does not affect card functionality in any way, only renewal.</td>
        <td>No</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card Closed Due To Fraud</td>
        <td>Used to close a card due to known fraud.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card Lost</td>
        <td>Used to close a card because it is lost.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card Stolen</td>
        <td>Used to close a card because it is stolen.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
      <tr>
        <td>Card Closed</td>
        <td>Used to close card by request from customer or bank, reason for closure is set with status update reason. Allows still clearing transaction posting.</td>
        <td>Yes</td>
        <td>No</td>
      </tr>
    </table>


    ### Encrypted payload for _Create card_ or _Get card_ with a full card
    number


    The payload field _encryptedData_ in create card requests is encrypted with
    JWE (JSON Web Encryption). 

    The field value must be presented using compact serialization scheme, i.e.
    Base64URL-encoded elements 

    separated by a ".".


    JWE should use RSA-OAEP-256 algorithm for encrypting the random symmetric
    key and A256GCM algorithm for

    encrypting the payload. Public keys used for encryption are provided in
    certificates below. 

    JWE header must also contain parameter "x5t#S256" with SHA256 fingerprint of
    the certificate used. 

    See RFC7516 section 4.1.10.


    The payload to be encrypted must be in JSON-format and contain field
    "cardNumber". For example:

            { "cardNumber": "5555555555554444" }

    Certificate for test environments (jwe-test-20260422.pem):

            -----BEGIN CERTIFICATE-----
            MIIDsTCCApmgAwIBAgIUNbIeMweA9gtL+71Uoctyok+LP5owDQYJKoZIhvcNAQEL
            BQAwaDELMAkGA1UEBhMCRkkxDjAMBgNVBAcMBUVzcG9vMQ8wDQYDVQQKDAZFbmZ1
            Y2UxETAPBgNVBAsMCENhcmQgQVBJMSUwIwYDVQQDDBxqd2UtdGVzdC0yMDI2MDQy
            Mi5lbmZ1Y2UuY29tMB4XDTI2MDQyMjA4MTQ1MVoXDTI4MDQxMTA4MTQ1MVowaDEL
            MAkGA1UEBhMCRkkxDjAMBgNVBAcMBUVzcG9vMQ8wDQYDVQQKDAZFbmZ1Y2UxETAP
            BgNVBAsMCENhcmQgQVBJMSUwIwYDVQQDDBxqd2UtdGVzdC0yMDI2MDQyMi5lbmZ1
            Y2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl9nrCsMtzGy2
            r/tfZugYW8vX/+GoZv9FUK2XfsEqgaTBWVQZvkbRKAijtdymHXwe72rZuVBotaUm
            ES/5Eqqhy5Mb6pYZ9H3VwV0tq6RSiq6A9nEevfPHe2UXl66K6XC8WWXtLyHu1sdk
            t9Gf4zLMspL7C+8m1OfJMZzBAEXcuoNcUPbWHzupyWpKvCZqbV1kwXDaYhCYR0cQ
            BLNUTxQS+fIYZrlrzIiwGng/3IDBsaVuJdFfa3OqRcNPt6rbcvtrQ3pN6zSvOPB6
            MVUKNPp7PeSBYomnPa+CI68XG9GfxK3fhos/uUlrQv4rnDP/qTtUvrK9VutDrg4r
            y/GXroEr8wIDAQABo1MwUTAdBgNVHQ4EFgQUnZQPK6mB0zIKBmPXjSkFWGJR4zMw
            HwYDVR0jBBgwFoAUnZQPK6mB0zIKBmPXjSkFWGJR4zMwDwYDVR0TAQH/BAUwAwEB
            /zANBgkqhkiG9w0BAQsFAAOCAQEAV7yknM6xyWA2lZlDKaQdg7Jug6pKvW6733IQ
            ois3/1VJPa1piDiNWfQcvvinxvTyczCjnh/HOdtbFfLJHezcj1R/YsrSE45VIc9Z
            d3gwK1MpLUNdb9ifmpxT9gfGy7mPNZC0FtzWHqWwcogzyScoLWT11usqHR64aZiZ
            /shfQPy6iK5gDF6yrwUB+Tv3TZl934GvYhFw/P3uk7ZSJ27/XhUrbnooagqRYZlN
            +/+2hvyGDZ4YVfdt7rhWfmm3xHNCVVyRjuLaaWOebWM+y705KN57DXyXxDPkmmud
            M2aru88ojhKc73QIQy8izAOTFKtyuOxtQR7PbDBpXcJhHGO/UQ==
            -----END CERTIFICATE-----

    Certificate for production environments (jwe-20260422.pem):

            -----BEGIN CERTIFICATE-----
            MIIDpzCCAo+gAwIBAgIUP+Z0k9p29DQZLP62py6KuG8XbRQwDQYJKoZIhvcNAQEL
            BQAwYzELMAkGA1UEBhMCRkkxDjAMBgNVBAcMBUVzcG9vMQ8wDQYDVQQKDAZFbmZ1
            Y2UxETAPBgNVBAsMCENhcmQgQVBJMSAwHgYDVQQDDBdqd2UtMjAyNjA0MjIuZW5m
            dWNlLmNvbTAeFw0yNjA0MjIwODE3NDZaFw0yODA0MTEwODE3NDZaMGMxCzAJBgNV
            BAYTAkZJMQ4wDAYDVQQHDAVFc3BvbzEPMA0GA1UECgwGRW5mdWNlMREwDwYDVQQL
            DAhDYXJkIEFQSTEgMB4GA1UEAwwXandlLTIwMjYwNDIyLmVuZnVjZS5jb20wggEi
            MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCCmlTBos5Q32mEL3XU0UjrPN22
            27YpyqCE234kwJ8BIBnzkQdrfkB27cucYnzj7HHg+1tn7CJBtprwkwzAEMW2CY5G
            /3kOD9hw9amFKtw1C/pMW4ZJh0W8pbbN1+9Y0Ti85hWQN7+UVyRybZqSr8aCXKV9
            5qyVU/00rdDT+mXdSjppzn3HU4jmWABIwJkT5wyxeIMonr+O+WHW08yd1LYd5ID6
            tfyC8o48pXI2uugyNGIPKdwiaK/C/qojiJYJRRZEaXatAk2OFFvq+ryeICO88TK9
            eB7ngEPpfa04nebkH8Scj4rbyYPmSyFpGfvVeXvzODixdI1Qxz/KK9j96PiNAgMB
            AAGjUzBRMB0GA1UdDgQWBBSFbT/MlsLoAOdcGNVwCbJWnEFVyTAfBgNVHSMEGDAW
            gBSFbT/MlsLoAOdcGNVwCbJWnEFVyTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3
            DQEBCwUAA4IBAQAHGOulvkVGjntcH9fJMRgOh32fjddc3+UDx5DKGluvDoqEgZdw
            ow1PFSRMNNHfMlOLCpNsiwuLJhA5weWUZnrMrizVkTGf2M39FkltlozY/mWwkJ97
            3sSfy6AN1lw/IbWJqOaYYU5wAWPgVP7lkiyDhJ21QtgHKeRQeTAtwuV3vv5cj/Cx
            ns/vYrXsoEJTboimlNm9eLUq61B+BFsZqJsvu8S3nT0icM4d4ZXwD0Ci/cs76wQN
            iLe3+O3GM1rQu+upvZJd9LqylXGa/mi5y0TwlunCG9ppIOotZQZpS3JlS8gKPTwS
            iUuAvpt0bTTTqMDpE+4i9pjqiU6hyGguFkaB
            -----END CERTIFICATE-----
  version: '1'
  title: Card details API
  contact:
    name: Enfuce Financial Services
    url: https://enfuce.com
    email: info@enfuce.com
  x-logo:
    url: https://developer.enfuce.com/images/enfuce.svg
    altText: Enfuce logo
servers:
  - url: >-
      https://integration-api-cat2.{{environment}}.ext.{{realm}}.cia.enfuce.com/card
  - url: https://integration-api-cat2.live.ext.prod.cia.enfuce.com/card
    description: Live environment
security: []
tags:
  - name: Create card
    description: <p>Endpoints for creating a card</p>
  - name: Update card
    description: <p>Endpoints for updating a card</p>
  - name: Get card
    description: Endpoints for fetching a card
  - name: Get plastic
    description: Endpoints for fetching a plastic
  - name: Update plastic
    description: <p>Endpoints for updating a plastic</p>
  - name: Get application
    description: Endpoints for fetching an application
  - name: Update application
    description: <p>Endpoints for updating an application</p>
paths:
  /v3/{id}/encryptcardpaymentinfo:
    post:
      tags:
        - Get card
      summary: Get Card Payment Info
      description: >
        This is a web service designed to give the card payment information
        needed for doing e-commerce payments, meaning full PAN, cvc2/cvv2,
        expiry date. The

        payload will be encrypted with an asymmetric public key, to enable
        end-to-end encryption to the card holder device. Only fields listed in
        the request 'fields'

        object will be returned. The caller is responsible of validating the
        integrity of the public key.


        ### PCI DSS compliance

        Processing payment information (PAN, expiry, CVC2/CVV2) is controlled
        with strict compliance regulations by the

        card schemes. There are multiple ways to access the card payment
        information in Enfuce's APIs depending on the

        client solution, and whether the client is a card schema member
        themselves and therefore responsible for

        compliance.


        The least complex way to take this functionality into use and keep your
        own systems outside the PCI DSS scope is

        to use the **Initiate card data retrieval** ( see
        /v4/card/{cardId}/controlToken below in this document).

        With that endpoint, the sensitive data is transported end-to-end between
        Enfuce's service and the card-holder

        device, which keeps the client's back-end systems outside of PCI DSS
        scope.


        The alternative shown here (Get Card Payment Info) relies on that the
        client is responsible for PCI DSS compliance

        themselves to the card schema.


        ### Example
            // ...

            import java.security.KeyFactory;
            import java.security.PrivateKey;
            import java.security.spec.PKCS8EncodedKeySpec;
            import java.util.Base64;
            import javax.crypto.Cipher;

            // ...

            // Example of how to decrypt an encrypted field
            private String decrypt(String data, String privKeyPEM) throws Exception {

              // Prepare the key
              String privKeyString = privKeyPEM.replaceAll("\\n", "").replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", "");
              byte[] encodedKey = Base64.getDecoder().decode(privKeyString);
              PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(encodedKey);
              KeyFactory kf = KeyFactory.getInstance("RSA");
              PrivateKey privateKey = kf.generatePrivate(spec);

              // Prepare the decryption
              Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithSHA-256AndMGF1Padding");
              cipher.init(Cipher.DECRYPT_MODE, privateKey);

              // Prepare the data
              byte[] cryptogram = Base64.getDecoder().decode(data);

              // Decrypt
              byte[] decryptedBytes = cipher.doFinal(cryptogram);
              return new String(decryptedBytes);
            }
      operationId: encryptCardPaymentInfoPOST
      parameters:
        - name: auditUser
          in: query
          description: The audit user to log the request
          required: true
          schema:
            type: string
        - name: id
          in: path
          description: The card id for given card
          required: true
          schema:
            type: string
            format: biginteger
      requestBody:
        $ref: '#/components/requestBodies/encryptCardPaymentInfoRequestBody'
      responses:
        '200':
          description: Successful lookup and encryption of the card payment info.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/encryptCardPaymentInfoResponseBody'
        '400':
          description: Encryption key error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
        '401':
          $ref: '#/components/responses/error401'
        '403':
          $ref: '#/components/responses/error403'
        '404':
          description: Card does not exist
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/errorResponse'
        '500':
          $ref: '#/components/responses/error500'
      deprecated: false
components:
  requestBodies:
    encryptCardPaymentInfoRequestBody:
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/encryptCardPaymentInfoRequestBody'
      description: Request information needed to encrypt the card payment info
      required: true
  schemas:
    encryptCardPaymentInfoResponseBody:
      type: object
      properties:
        fullCardNumber:
          type: string
          description: The enrypted full card number (PAN). Base64 encoded
        expirationDate:
          type: string
          description: The expiration date of the card, in format MMYY
        cvv2:
          type: string
          description: >-
            The encrypted CVV2 (if Visa), or CVC2 (if Mastercard) value. Base64
            encoded
      title: encryptCardPaymentInfoResponseBody
    errorResponse:
      type: object
      properties:
        code:
          type: string
          description: An error code indicating what kind of error. I.e. HTTP error code
        message:
          type: string
          description: Error message in human-readable format
        id:
          type: string
          format: uuid
          description: Unique error identifier
        errorCode:
          type: string
          description: Enfuce code for a specific error type
        errorType:
          type: string
          description: Error type
          enum:
            - STATIC_VALIDATION_ERROR
            - DYNAMIC_VALIDATION_ERROR
            - INTEGRATION_ERROR
            - SECURITY_ERROR
            - UNEXPECTED_ERROR
        errorReason:
          type: string
          description: Free-form text explaining the error reason
        timestamp:
          type: string
          format: date-time
          description: Datetime when error occurred
    encryptCardPaymentInfoRequestBody:
      type: object
      properties:
        encryptionKey:
          type: string
          description: Public key used to encrypt the fields in the result.
        encryptionMethod:
          type: string
          enum:
            - RSA_ECB_OAEP_SHA256_MGF1_2048
          description: >
            In this field the encryption method is selected. This is to prepare
            for future use since only one method is supported.
              * __RSA_ECB_OAEP_SHA256_MGF1_2048__ - RSA/ECB/OAEPWithSHA-256AndMGF1Padding. Public key length 2048.
        fields:
          type: array
          items:
            type: string
            enum:
              - fullCardNumber
              - expirationDate
              - cvv2
          description: >
            In this field you can list which fields the service should encrypt
            and return. If a field is not listed, it will be left out from the
            response. Note that only fullCardNumber and cvv2 will be encrypted.
              * __fullCardNumber__ - PAN number (card number) for the card
              * __expirationDate__ - The expiration date of the card, in format MM/YY
              * __cvv2__ - The CVV2 (if Visa), or CVC2 (if Mastercard) value
      required:
        - encryptionKey
      title: encryptCardPaymentInfoRequestBody
  responses:
    error401:
      description: Unauthorized
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/errorResponse'
    error403:
      description: Forbidden
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/errorResponse'
    error500:
      description: Internal server error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/errorResponse'

````