Thales platform relies on multiple security layers.
These controls apply to both communication channels:
Thales → customer
Customer → Thales
Transport security uses TLS 1.2 with mutual authentication (mTLS).
The client must present a valid client certificate when connecting to the server.
The API consumer must send an API key in every HTTP request.
The API key is defined at the start of the project and can be renewed over time.
Cardholder data is always exchanged encrypted using JSON Web Encryption (JWE).
JWE is defined in RFC 7516.
The algorithms used are:
RSA-OAEP-256 to encrypt the content encryption key (CEK)
A256GCM for content encryption
JWE compact serialization applies.
At the start of the project, the customer generates an RSA 2048-bit key pair.
The customer sends to Thales a PEM certificate and its key identifier.
Thales backend uses this certificate to encrypt cardholder data sent to the customer.
Thales provides the customer a PEM certificate and its key identifier.
The customer uses this certificate to encrypt cardholder data sent to Thales backend.
Each JWE sets the key identifier in the protected header as kid.
最終更新
役に立ちましたか?
役に立ちましたか?
// JWE header example
{
"alg": "RSA-OAEP-256",
"enc": "A256GCM",
"kid": "1234"
}