Initiate card data retrieval

Endpoint to initiate retrieval of card data. This will enable the end user make e-commerce transactions without needing access to a plastic card. This means that the end user will get access to card number (PAN), expiry date and CVC2/CVV2. This operation will generate an access token used to view the card data, enabling end users to access their card data through their own devices, via app or web interface.

Supporting the possibility to copy the card data to the devices clipboard should be examined with caution. The data lifespan and the access to the device clipboards varies between operating systems which introduces risk. So while recognising that the possibility to copy the card data can improve end-user experience, the potential increased risk of such a feature should be considered.

Process description

1. End user request to see the card data (Pan number, exp. date and CVV) through its own devices, via app or web interface.
2. The end user request triggers a request to Enfuce Card API (/v4/card//controlToken)
   • The request will fail if cardId is not valid.
   • Besides cardId, no additional validation is done. This means that Enfuce will not validate open-to-buy, card status or usage limiters of the card when responding to request. In order to validate if a purchase can be done with card data in question, separate API calls should be done to retrieve real time status of card and it´s balance.
3. The successful response from this endpoint returns a token and two URLs
   • Note the token is valid for 30 seconds which is the deadline for the end user device to make the POST call to retrieve the HTML snapshot
4. The end users device is instructed to access the returned URL to view the card data
   • Mobile app retrieves the HTML snapshot with card data by executing a POST call to the cardDataUrl with the content of the token in a form field named token.
   • Desktop browser opens iframe to cardDataFrameUrl with query parameter key. Key needs to agreed with Enfuce beforehand. After that is loaded, parent page makes window.postMessage() call to the iframe. Posted message object contains field operation with value view-pan and field token. Example:

     iframe.addEventListener('load', () => { 
       iframe.contentWindow.postMessage({operation: 'view-pan', token}, cardDataFrameUrl);
     })
     

5. Enfuce responds with a HTML snapshot containing the card data.
   • The request will fail if the token is not valid.
6. End user sees card data on device and can utilise it to make a purchase.

PCI and security considerations

The service is designed to avoid exposure of sensitive, PCI categorised data to the web/app back-end, therefore the card data is sent directly from the service endpoint to the end users device. The functionality is developed, assessed, and certified for PCI DSS. PCI DSS regulations are detailed, but highlighting a few that have impact on the this functionality:

• Card data remains encrypted in transport.
• No card data is stored in the process.
• The software is code reviewed.
• The publicly exposed endpoint is protected by a web application firewall.

The end user device will not fall within PCI scope, as it will not have access, be connected to or be able to impact Enfuce system where the card data resides. In other words, the device displaying the card data does not access the data itself, rather the content is rendered inside browser widget (Webview or Iframe).

Enfuce recommendations for end user app development:

• The app and the related back-end should ensure that the user is strongly authenticated (SCA) before being able to view the card data. It is recommended, that each view is preceded by an SCA event, and this should be done for every view event.
• The app must show the card data for only the time needed for the user to use this data and it is recommended that there is a timeout of 1 minute until the card holder data view is automatically closed for the user.
• The app developers need to take necessary precautions to stop other apps or processes to access or interact with the card data view.
• The app developers need to ensure that the communication between the app and the related back-end is done in an authenticated and encrypted session.