Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Card data encryption (PKCS#7 format)

Card details passed to the Push Provisioning SDK are encrypted. Use the TSH Issuer Gateway certificate provided during onboarding.

Encrypted data payload

The payload is the JSON object serialized as a string before encryption. The JSON structure contains the following fields:

JSON field name
Description
MOC
Comment

issuerCardRefId

A unique identifier of the physical card. This value is the same as the value provided in authorizationCode (JWT 'sub' claim).

M

Note: This is not the PAN value.

fpan

Funding card primary account number.

M

exp

The expiry date in MMYY format.

M

cardHolderName

The cardholder name as printed on the card. For MasterCard, the maximum length for the name is 27 characters.

M

postalAddress

Object representing the postal address of the cardholder. See the following definition.

C

It is required for Click to Pay.

phoneNumber

The cardholder's phone number. Maximum lenght is 16.

C

Note: It does not contain the country code. It is required for Click to Pay.

phoneNumberCountryCode

The country code of the phone number. Example: "1" for USA, "33" for France, "44" for UK. Maximum lenght is 4.

C

It is required for Click to Pay.

email

The cardholder's email. Maximum lenght is 48.

C

It is required for Click to Pay.

issuerClientInformation

The object representing the client information shared from issuer to token requestor as per information captured in the issuer systems. See the following definition.

C

It is required for Click to Pay.

termsAndConditionsId

This ID represents the unique ID associated to the “Terms and conditions” generated by Discover TSP during the onboarding process.

C

It is required for Discover – push to Google/Samsung Pay.

postalAddress structure

JSON field name
Description
MOC

line1

First line of the billing address. Maximum lenght is 64.

M

line2

Second line of the billing address. Maximum lenght is 64.

O

city

The city of the billing address. Maximum lenght is 32.

M

postalCode

The postal code (for example, zipcode in the U.S.) of the billing address. Maximum lenght is 10.

M

country

The country of the billing address. Expressed as a 3-letter (alpha-3) country code as defined in ISO 3166-1

M

issuerClientInformation structure

JSON field name
Description
MOC
Comment

issuerAccountID

Identifier of the customer account captured from issuer systems. Maximum length allowed is 24 characters.

C

Note: This is not the card's PAN. It is required by VISA.

firstName

Customer first name captured from issuer systems Maximum length allowed is 80 characters.

M

middleName

Middle name of customer captured from the issuer systems Maximum length allowed is 80 characters.

O

lastName

Last name of customer captured from the issuer systems Maximum length allowed is 80 characters.

M

country

Country code of the customer in ISO 3166-1 alpha-2 format.

O

If not provided, default is "US"

locale

Language in which the app communicates with the customer. This is the ISO639-1 language code followed by "_" separator then ISO 3166-1 alpha-2 country code. xample: "en_US".

O

If not provided, default is "en_US".

Encryption

Keys and certificates

A TSH certificate is provided to the issuer during onboarding. Use it to encrypt the JSON payload that contains card credentials and personal data.

PKCS7 format

PCI-sensitive data and personal information are encrypted using PKCS#7 enveloped-data format. This ensures confidentiality.

The PKCS#7 encryption scheme is defined in RFC 2315 and RFC 5652. It is supported by major cryptographic libraries.

Use these encryption parameters:

  • The content encryption algorithm used is AES256/CBC/PKCS7Padding which uses a randomly generated AES key.

  • The key encryption algorithm is RSA/NONE/OAEPWithSHA256AndMGF1Padding (Note: MGF1 padding uses SHA256) using the TSH certificate provided during the onboarding process.

  • The encryption result is then provided as a hexadecimal string.

Encrypted payload example:

Last updated

Was this helpful?