> For the complete documentation index, see [llms.txt](https://docs.payments.thalescloud.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.payments.thalescloud.io/merchant-tokenization/ja/bakkuendo/security.md). # セキュリティ Thales platform relies on multiple security layers. These controls apply to both communication channels: * Thales → customer * Customer → Thales ## TLS mutual authentication Transport security uses **TLS 1.2** with **mutual authentication (mTLS)**. The client must present a valid client certificate when connecting to the server. ## API key authentication The API consumer must send an API key in every HTTP request. The API key is defined at the start of the project and can be renewed over time. ## Encrypt cardholder data (JWE) Cardholder data is always exchanged encrypted using **JSON Web Encryption (JWE)**. JWE is defined in [RFC 7516](https://www.rfc-editor.org/rfc/rfc7516). The algorithms used are: * `RSA-OAEP-256` to encrypt the content encryption key (CEK) * `A256GCM` for content encryption JWE **compact serialization** applies. ### Certificates and key identifiers At the start of the project, the customer generates an RSA 2048-bit key pair. The customer sends to Thales a PEM certificate and its key identifier. Thales backend uses this certificate to encrypt cardholder data sent to the customer. Thales provides the customer a PEM certificate and its key identifier. The customer uses this certificate to encrypt cardholder data sent to Thales backend. Each JWE sets the key identifier in the protected header as `kid`. ```json // JWE header example { "alg": "RSA-OAEP-256", "enc": "A256GCM", "kid": "1234" } ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.payments.thalescloud.io/merchant-tokenization/ja/bakkuendo/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.