What should I deal with FLE(field-level encryption )

ashOne
Regular Visitor

What should I deal with FLE(field-level encryption )

I met a problem when I attended to impment viap api. I found  these api uses fle to encrypt , but I can not FIND ANY DOCUMENT ABOUT FLE . are there any one can find it ?

4 REPLIES 4
API_Products
Visa Developer Support Specialist

Re: What should I deal with FLE(field-level encryption )

Hey @ashOne,

 

Field-Level Encryption (FLE) in the context of Visa Developer Platform is crucial for securing sensitive data. If you're encountering issues with FLE and can't find documentation, here are some steps you can take:

 

Steps to Deal with Field-Level Encryption (FLE)

1. Check Visa Developer Documentation:
- Visit the Visa Developer Documentation at https://developer.visa.com/ and search for Field-Level Encryption.
- Look for specific API documentation which might detail the encryption process.

2. Review API Specifications:
- Each API that uses FLE should have specifications on how to handle encryption. Check the API reference for any encryption fields or parameters.

3. Contact Visa Developer Support:
- If documentation is insufficient or unavailable, contact Visa Developer Support directly. They can provide detailed guidance and support for implementing FLE.

4. Use Visa Developer Community:
- Engage with the Visa Developer Community. Other developers may have faced similar issues and can provide insights or solutions.
- Check forums and discussion boards for any threads related to FLE.

5. Follow General Encryption Practices:
- Understand the general principles of field-level encryption. This includes generating encryption keys, encrypting data before sending it, and decrypting data upon receipt.
- Implement industry-standard encryption libraries and practices in your code.

 

Example of Field-Level Encryption in Python

Here's an example of how you might handle basic encryption in Python, though specifics will depend on Visa's requirements:

```python
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import os

# START 
# Generate a key from a password
password = b"your_password"
salt = os.urandom(16)
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=100000,
)
key = kdf.derive(password)

# Encrypt some data
data = b"your_sensitive_data"
iv = os.urandom(16)
cipher = Cipher(algorithms.AES(key), modes.CFB(iv))
encryptor = cipher.encryptor()
ct = encryptor.update(data) + encryptor.finalize()

# Decrypt the data
cipher = Cipher(algorithms.AES(key), modes.CFB(iv))
decryptor = cipher.decryptor()
decrypted_data = decryptor.update(ct) + decryptor.finalize()

print(f"Original Data: {data}")
print(f"Encrypted Data: {ct}")
print(f"Decrypted Data: {decrypted_data}")
# END 
```

 

Summary

- Documentation: Refer to Visa Developer documentation for FLE.
- Support: Reach out to Visa Developer Support for help.
- Community: Engage with the Visa Developer Community for insights.
- Encryption Practices: Follow general encryption practices using industry-standard libraries. 




Thanks,

Diana H.



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

ashOne
Regular Visitor

Re: What should I deal with FLE(field-level encryption )

I got it , but I still have a problem , I found the sample code of viap (visa in app-provision), viap uses the fle to encrypt the special field  that prefix with 'enc',and the code of fle implement needs  the encryptionKid. so what does the encryptionKid actually mean ?

API_Products
Visa Developer Support Specialist

Re: What should I deal with FLE(field-level encryption )

Hey @ashOne,

 

The `encryptionKid` stands for "Encryption Key Identifier." It is a unique identifier used to reference a specific encryption key within a key management system. In the context of the Visa In-App Provisioning (VIAP) and Financial Level Encryption (FLE), the `encryptionKid` is used to identify the encryption key that will be used to encrypt sensitive fields that are prefixed with 'enc'.

 

Here's a more detailed explanation:

1. Key Management System (KMS): The KMS stores and manages encryption keys securely. Each key has a unique identifier, known as the Key Identifier (KID).

2. encryptionKid: This is the unique identifier for the specific key you want to use for encrypting data. When you pass `encryptionKid` in your API request, the Visa platform knows which encryption key to use for encrypting the specified fields.

3. Encryption Process: When you encrypt a field (e.g., a card number or personal information), the system uses the encryption key referenced by the `encryptionKid` to perform the encryption. This ensures that the data is securely encrypted before being transmitted or stored.

 

Example Usage

In your code, you might see `encryptionKid` being used like this:

```json
{
"encCardNumber": "encrypted_card_number_here",
"encryptionKid": "your_encryption_kid"
}
```

 

When you implement the encryption, the `encryptionKid` tells the system which key to use:

```python
# START 
import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

def encrypt_data(data, key):
cipher = AES.new(key, AES.MODE_ECB)
encrypted_data = cipher.encrypt(pad(data.encode('utf-8'), AES.block_size))
return base64.b64encode(encrypted_data).decode('utf-8')

# Placeholder values for demonstration
data_to_encrypt = "SensitiveData"
encryption_key = b'YourEncryptionKey' # This should be a 16, 24, or 32 byte key
encryption_kid = "your_encryption_kid"

encrypted_data = encrypt_data(data_to_encrypt, encryption_key)

print("Encrypted Data:", encrypted_data)
print("Encryption KID:", encryption_kid)
# END 
```

 

Steps to Follow:

1. Key Generation: Generate an encryption key using your key management system. This key will have a unique `encryptionKid`.

2. Store the Key: Store the encryption key securely, and note down its `encryptionKid`.

3. Use the Key in Your Code: When encrypting data, use the `encryptionKid` to reference the key. Ensure that the actual key data is securely managed and not hard-coded in your application.

4. Encrypt Data: Use the referenced key to encrypt sensitive fields, ensuring that the data is secure before transmission.

 

By understanding and correctly using the `encryptionKid`, you can ensure that sensitive data is encrypted with the appropriate key, maintaining the security and integrity of your transactions.

 




Thanks,

Diana H.



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

ashOne
Regular Visitor

Re: What should I deal with FLE(field-level encryption )

I still hava  questions,as above said,the keyId is the identity of  encrypt key generated by my kms.so the visa how to know which key  I used when pass it to visa. AND How can I pass it to visa throught  api