Welcome to our new developer portal! Use the "Ask" button to chat with our AI Agent.
Ctrlk
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Outbound Card API

Get Card Credentials

get

API used by D1 to call the CMS for retrieving the card credentials (PAN, expiry date, cardholder name and CVV) using a card identifier. It can be used, for example, for displaying the card details to an end user who wants to perform an e-commerce transaction or for registering a 'legacy card' in the D1 system.

Authorizations
OAuth2clientCredentialsRequired

OAUTH activation for outbound endpoints is optional part of D1 Tenant configuration (Refresh URL, Token URL, Credentials, Scope) A CMS entity wishing to opt for OAUTH scheme needs to support an endpoint (Token URL) from which the access token can be retrieved. This endpoint shall support HTTP POST Client Credentials grant requests in x-www-form-urlencoded content type as specified here: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

Token URL:
Path parameters
issuerIdstring · min: 10 · max: 10Required

The id of the issuer

cardIdstring · min: 1 · max: 48Required

Unique identifier of the card.

Pattern: [A-Za-z0-9_-]{1,48}
Header parameters
x-correlation-idstring · min: 1 · max: 64Optional

Random identifier which can be used to correlate the different API calls done as part of a single use-case. This identifier will be the one primarily used for troubleshooting.

There is no strong guarantee of the uniqueness of this identifier, so please refrain from using it for purposes other than logging and troubleshooting.

Pattern: [a-zA-Z0-9_\-\. ]{1,64}
AuthorizationstringOptional

Oauth Access Token (optional)

Example: 'Bearer: 2zzLJmBAtTNIU8nF8e8XbmDvaNGs'
Responses
200

OK

application/json
encryptedDatastring · max: 8192Required

The encryptedData is the encrypted json (cf http://www.json.org/ ) representation of the card credentials.
This value is encrypted using the JWE encryption (please refer to the Sensitive Information Encryption for more details)

Content

Once deciphered, the plaintext contains:

JSON field parameter namedescriptionMOCFormat
panThe funding pan value.Mstring - from 10 to 19 digits
expThe expiry date of the card.Mstring - 4 digits, following the format MMYY
nameThe card holder name.Ostring - up to 128 characters
cvvThe CVV2 value of the funding cardMstring - 3 or 4 digits
auxiliaryPanThe auxiliary funding pan value.It shall be provided when cobadge is supported and if the card has an auxiliary pan.Cstring - up to 19 digits
auxiliaryExpThe auxiliary expiry date of the card.It shall be provided when cobadge is supported and if the card has an auxiliary pan.Cstring - 4 digits, following the format MMYY
customSuffixlast 4 digits of the display pan which is different than the actual funding panOstring - 4 digits
get
/cms/api/v1/issuers/{issuerId}/cards/{cardId}/credentials

Verify Card

post

When a tokenization request reaches D1, D1 calls the CMS (Card Management System) with this method to verify the status of card for which the tokenization has been requested.

It is expected that the CMS verifies the consistency between the card information provided versus the card information known by the CMS itself. As a minimum, the CMS should check the following:

  • that the PAN number is valid

  • if no expiration date is provided, that the card has not expired

  • if a CVV is provided, that it is valid

It is important that the CMS provides a proper result response because D1 uses this result when making a decision regarding the tokenization request of the card.

Along with the card details, D1 provides a unique card reference, cardId. The CMS can, OPTIONALLY, override this value by providing its own card ID in the response. In this case, however, CMS must guarantee the uniqueness of the ID.

It is required to provide a reference of the cardholder information (consumerId). This reference will be used by the D1 to request the cardholder contacts details to the Core Banking system.

Authorizations
OAuth2clientCredentialsRequired

OAUTH activation for outbound endpoints is optional part of D1 Tenant configuration (Refresh URL, Token URL, Credentials, Scope) A CMS entity wishing to opt for OAUTH scheme needs to support an endpoint (Token URL) from which the access token can be retrieved. This endpoint shall support HTTP POST Client Credentials grant requests in x-www-form-urlencoded content type as specified here: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

Token URL:
Path parameters
issuerIdstring · min: 10 · max: 10Required

The id of the issuer

Header parameters
x-correlation-idstring · min: 1 · max: 64Optional

Random identifier which can be used to correlate the different API calls done as part of a single use-case. This identifier will be the one primarily used for troubleshooting.

There is no strong guarantee of the uniqueness of this identifier, so please refrain from using it for purposes other than logging and troubleshooting.

Pattern: [a-zA-Z0-9_\-\. ]{1,64}
AuthorizationstringOptional

Oauth Access Token (optional)

Example: 'Bearer: 2zzLJmBAtTNIU8nF8e8XbmDvaNGs'
Body
encryptedDatastring · max: 8192Required

The encryptedData is the encrypted json (cf http://www.json.org/ ) representation of the card credentials.
This value is encrypted using the JWE encryption (please refer to the Sensitive Information Encryption for more details)

Content

Once deciphered, the plaintext contains:

JSON field parameter namedescriptionMOCFormat
panThe funding pan value.Mstring - from 10 to 19 digits
expThe expiry date of the card.Mstring - 4 digits, following the format MMYY
nameThe card holder name.Ostring - up to 128 characters
cvvThe CVV2 value of the funding cardOstring - 3 or 4 digits
cardIdstring · min: 1 · max: 48Required

Unique identifier of the card.

Pattern: [A-Za-z0-9_-]{1,48}
cardBinstring · min: 6 · max: 6Required

The first 6 digits of the PAN

Responses
200

OK

application/json
cardIdstring · min: 1 · max: 48Optional

Unique identifier of the card.

OPTIONAL. In case CMS has already its own card identifier and prefers to use it in place of the one provided.

Pattern: [A-Za-z0-9_-]{1,48}
consumerIdstring · min: 1 · max: 64Optional

Unique identifier of the end user.

Must be provided only when the card verification is successful: verificationResults.card.invalid flag is false.

Pattern: [A-Za-z0-9_-]{1,64}
accountIdstring · min: 1 · max: 64Optional

Unique identifier of the account.

If not provided, the value from consumerId will be applied.

Pattern: [A-Za-z0-9_-]{1,64}
post
/cms/api/v1/issuers/{issuerId}/cards/credentials

Notify Card Operation (v1)

post

This request is used by D1 to notify the issuer backend about all operations done on a card.

Authorizations
OAuth2clientCredentialsRequired

OAUTH activation for outbound endpoints is optional part of D1 Tenant configuration (Refresh URL, Token URL, Credentials, Scope) A CMS entity wishing to opt for OAUTH scheme needs to support an endpoint (Token URL) from which the access token can be retrieved. This endpoint shall support HTTP POST Client Credentials grant requests in x-www-form-urlencoded content type as specified here: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

Token URL:
Path parameters
issuerIdstring · min: 10 · max: 10Required

The id of the issuer

cardIdstring · min: 1 · max: 48Required

Unique identifier of the card.

Pattern: [A-Za-z0-9_-]{1,48}
Header parameters
x-correlation-idstring · min: 1 · max: 64Optional

Random identifier which can be used to correlate the different API calls done as part of a single use-case. This identifier will be the one primarily used for troubleshooting.

There is no strong guarantee of the uniqueness of this identifier, so please refrain from using it for purposes other than logging and troubleshooting.

Pattern: [a-zA-Z0-9_\-\. ]{1,64}
AuthorizationstringOptional

Oauth Access token (optional)

Example: 'Bearer 2zzLJmBAtTNIU8nF8e8XbmDvaNGs'
Body

The following object represent the account

operationIdstring · min: 1 · max: 64Required

Unique identifier of the operation

Pattern: [A-Za-z0-9_-]{1,64}
operationstring · enumRequired

The name of the operation done or ongoing on the card.
A DIGITIZE (meaning tokenize) operation can occur only on a virtual card or physical card, and means the card has been digitized (tokenized) (or it is in the process of being so)

Possible values:
digitalCardIdsstring[]Optional

Unique identifier of the digital cards concerned by the operation.

statusstring · enumRequired

Status of the operation

Possible values:
Responses
post
/notifications/d1/v1/issuers/{issuerId}/cards/{cardId}/notifications
No content

Notify 3-D Secure Card Operation

post

This request is used by D1 to notify the issuer backend about all 3-D Secure operations done on a card.

Path parameters
issuerIdstring · min: 10 · max: 10Required

The id of the issuer

cardIdstring · min: 1 · max: 48Required

Unique identifier of the card.

Pattern: [A-Za-z0-9_-]{1,48}
Header parameters
x-correlation-idstring · min: 1 · max: 64Optional

Random identifier which can be used to correlate the different API calls done as part of a single use-case. This identifier will be the one primarily used for troubleshooting.

There is no strong guarantee of the uniqueness of this identifier, so please refrain from using it for purposes other than logging and troubleshooting.

Pattern: [a-zA-Z0-9_\-\. ]{1,64}
Body

Details about a 3-D Secure operation.

operationIdstring · min: 1 · max: 64Required

Unique identifier of the operation

Pattern: [A-Za-z0-9_-]{1,64}
operationstring · enumRequired

The operation type.

Possible values:
statusstring · enumRequired

Status of the operation

Possible values:
startTimestring · min: 1 · max: 64Required

The time the request has been processed. Format ISO 8601 YYYY-MM-DDThh:mm:ssTZD

Example: 2022-06-16T06:28:02.492Z
consumerIdstring · min: 1 · max: 64Optional

Unique identifier of the end user.

Pattern: [A-Za-z0-9_-]{1,64}
detailsone ofOptional
errorstringOptional

Human readable string representing the error, only present in case of operation failure

Responses
post
/notifications/d1/v1/issuers/{issuerId}/cards/{cardId}/3ds/notifications
No content

Notify Card Operations (v2)

post

This request is used by D1 to notify the system of the bank about any card operation update. There is a retry mechanism in case the notification has not been sent. Thus the bank system can use this notification to synchronize card operation status with their card repository. The number max of card operation in the notification is defined at onboarding time according to bank's system capability. Each operation is linked to a given cardId, and can contain a message decidicated for the final end-user.

Authorizations
OAuth2clientCredentialsRequired

OAUTH activation for outbound endpoints is optional part of D1 Tenant configuration (Refresh URL, Token URL, Credentials, Scope) A CMS entity wishing to opt for OAUTH scheme needs to support an endpoint (Token URL) from which the access token can be retrieved. This endpoint shall support HTTP POST Client Credentials grant requests in x-www-form-urlencoded content type as specified here: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.2

Token URL:
Path parameters
issuerIdstring · min: 10 · max: 10Required

The id of the issuer

Header parameters
x-correlation-idstring · min: 1 · max: 64Optional

Random identifier which can be used to correlate the different API calls done as part of a single use-case. This identifier will be the one primarily used for troubleshooting.

There is no strong guarantee of the uniqueness of this identifier, so please refrain from using it for purposes other than logging and troubleshooting.

Pattern: [a-zA-Z0-9_\-\. ]{1,64}
AuthorizationstringOptional

Oauth Access token (optional)

Example: 'Bearer 2zzLJmBAtTNIU8nF8e8XbmDvaNGs'
Body
Responses
post
/notifications/d1/v2/issuers/{issuerId}/cards
No content
PreviousOutboundNextModels

Last updated

Was this helpful?