Encryption and decryption of card data

To protect the sensitive virtual credit card data, we perform encryption on the card data before sending them to you.

The data is encrypted using a 128 bit symmetric key using the following algorithm: AES/CTR/NoPadding. The symmetric key is then encrypted with the public key you enrolled using the following algorithm: RSA/ECB/PKCS1Padding. The RSA keypair generated by you must be at least of the size 2048 bits. Please provide your public key in JWK format .

Each public key is given an key_id that is used by you in the settlement request. It is possible to have more than one active public key.

You can use the following commands to generate a new private/public key pair:

openssl genrsa -out private_key.pem 4096 openssl rsa -in private_key.pem -outform PEM -pubout -out public_key.pem

Now you can use the tool of your choice to convert the public key from .pem format to .jwk format. For example with this JavaScript tool pem-jwk :

pem-jwk public_key.pem > public_key.jwk

Please make sure to securely store your private key as it is integrity of the virtual credit card data.

Encryption

When you request a card you have to provide a key_id to the public key you want to use. This key will be used to encrypt the symmetric key used to encrypt the card details.

Decryption

When requesting a virtual credit card, you will find in the response the following fields. These are used to decrypt the sensitive card data.

1
2
3
4
5
{
    "pci_data": "string",
    "iv": "string",
    "aes_key": "string"
}

The sensitive card data pci_data is encrypted by a generated symmetric key aes_key which itself is encrypted by your public key.

To decrypt the card data, perform these steps:

  1. Base64 decode aes_key
  2. Decrypt decoded aes_key using your private key
  3. Base64 decode pci_data
  4. Decrypt decoded pci_data using decrypted aes_key and iv (initialization vector )

Make sure you are using the private key which corresponds to the key_id you provided when you requested the card.

In the decrypted data the card information in plaintext is available and formatted as a JSON object. Here’s an example of decrypted card information.

1
2
3
4
5
{
    "pan": "4111111111111",
    "expiry_date": "01/19",
    "cvv": "789"
}