Payment API

Overview

Account Details

Overview
Create an account
Update an account
Get account information

Authorisation Control

Overview
Authorisation Control Webhook

Authorisation Forwarding

Overview
Forward authorisation webhook

Card details

Customer

Overview
Get customer information
Create a customer
Update a customer
Customer hierarchy

Exchange Rates API

Overview
Get ECB exchange rate
Get ECB supported currencies
Get FX exchange rates

ID

Overview
Initiate 3rd party authentication flow
Callback to complete authentication flow

Instalment

Overview
Instalment Controller

Invoice

Overview
Get invoice information
Update invoice information

Notification

Overview
Receive a notification

Overview
PIN operations with pre-shared key
PIN operations using PKI

PIN Control

Overview
PIN Control handling

Purchase Details

Overview
Trigger repricing
Get purchase details
Create purchase details
Update purchase details

RBA Forwarding

Overview
RBA forwarding

Repricing

Overview
Create repricing agreements
Get repricing agreements
Update repricing agreements
Create price lists
Get price lists
Update price lists

Transaction

Overview
Test transactions
Test authorizations
Get transaction data
Create transactions
Create fees
Update a transaction
Batch payment

Transfer API

Overview
Post account to account transfer
Account to account batch transfer
Post card to card transfer

Wallet

Overview
Push Provision
Activation data
Get tokens

Test API

Overview
test-auth-request-templates
test-authorizations

Hierarchy API

Overview
Card Hierarchy Management
Card Hierarchy Group Management
Card Management in Card Hierarchy Groups

Spend Control API

Overview
Rule Sets Endpoints
Rules Endpoints
Spend Control Test Endpoint

Get card

Initiate card data retrieval

## Initiate card data retrieval Endpoint to initiate retrieval of card data. This will enable the end user make e-commerce transactions without needing access to a plastic card. This means that the end user will get access to card number (PAN), expiry date and CVC2/CVV2. This operation will generate an access token used to view the card data, enabling end users to access their card data through their own devices, via app or web interface. Supporting the possibility to copy the card data to the devices clipboard should be examined with caution. The data lifespan and the access to the device clipboards varies between operating systems which introduces risk. So while recognising that the possibility to copy the card data can improve end-user experience, the potential increased risk of such a feature should be considered. ### Process description ![ Example user experience ](https://enfuce-public-resources.s3.eu-central-1.amazonaws.com/public/pan-view-flow.jpg) 1. End user request to see the card data (Pan number, exp. date and CVV) through its own devices, via app or web interface. 2. The end user request triggers a request to Enfuce Card API (/v4/card/{cardId}/controlToken) * The request will fail if cardId is not valid. * Besides cardId, no additional validation is done. This means that Enfuce will not validate open-to-buy, card status or usage limiters of the card when responding to request. In order to validate if a purchase can be done with card data in question, separate API calls should be done to retrieve real time status of card and it´s balance. 3. The successful response from this endpoint returns a token and two URLs * Note the token is valid for 30 seconds which is the deadline for the end user device to make the POST call to retrieve the HTML snapshot 4. The end users device is instructed to access the returned URL to view the card data * Mobile app retrieves the HTML snapshot with card data by executing a POST call to the cardDataUrl with the content of the token in a form field named token. * Desktop browser opens iframe to cardDataFrameUrl with query parameter _key_. Key needs to agreed with Enfuce beforehand. After that is loaded, parent page makes window.postMessage() call to the iframe. Posted message object contains field _operation_ with value _view-pan_ and field _token_. Example: iframe.addEventListener('load', () => { iframe.contentWindow.postMessage({operation: 'view-pan', token}, cardDataFrameUrl); }) 6. Enfuce responds with a HTML snapshot containing the card data. * The request will fail if the token is not valid. ![ Example user experience ](https://enfuce-public-resources.s3.eu-central-1.amazonaws.com/public/pan-html-example.png) 7. End user sees card data on device and can utilise it to make a purchase. ### PCI and security considerations The service is designed to avoid exposure of sensitive, PCI categorised data to the web/app back-end, therefore the card data is sent directly from the service endpoint to the end users device. The functionality is developed, assessed, and certified for PCI DSS. PCI DSS regulations are detailed, but highlighting a few that have impact on the this functionality: * Card data remains encrypted in transport. * No card data is stored in the process. * The software is code reviewed. * The publicly exposed endpoint is protected by a web application firewall. The end user device will not fall within PCI scope, as it will not have access, be connected to or be able to impact Enfuce system where the card data resides. In other words, the device displaying the card data does not access the data itself, rather the content is rendered inside browser widget (Webview or Iframe). Enfuce recommendations for end user app development: * The app and the related back-end should ensure that the user is strongly authenticated (SCA) before being able to view the card data. It is recommended, that each view is preceded by an SCA event, and this should be done for every view event. * The app must show the card data for only the time needed for the user to use this data and it is recommended that there is a timeout of 1 minute until the card holder data view is automatically closed for the user. * The app developers need to take necessary precautions to stop other apps or processes to access or interact with the card data view. * The app developers need to ensure that the communication between the app and the related back-end is done in an authenticated and encrypted session.

POST

card

{cardId}

controlToken

curl --request POST \
  --url https://integration-api-cat2./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/card/v4/card/{cardId}/controlToken

{
  "token": "<string>",
  "cardDataUrl": "<string>",
  "cardDataFrameUrl": "<string>"
}

Path Parameters

cardId

string

required

The id of the card's data requested

Query Parameters

auditUser

string

required

The audit user to log the request

Response

201

application/json

Successful creation of the control token

token

string

required

The control token.

cardDataUrl

string

The URL to call on mobile devices for accessing the card's data.

cardDataFrameUrl

string

The URL to open in iframe to access the card's data.

Get Card Payment Info Get cards given customerId (Deprecated)

curl --request POST \
  --url https://integration-api-cat2./%7B{environment}%7D.ext.%7B{realm}%7D.cia.enfuce.com/card/v4/card/{cardId}/controlToken

{
  "token": "<string>",
  "cardDataUrl": "<string>",
  "cardDataFrameUrl": "<string>"
}