In-App-Provisioning using Enroll Card API and VDEP SDK

tom_dcsinnov
Occasional Visitor

In-App-Provisioning using Enroll Card API and VDEP SDK

Hi all,

We are trying to figure out the implementation flow to push provision a card to a Google or Apple Pay wallet, by using vCardId sent from VISA API. According to SDK docs, we should call GetSupportedWallets method from mobile app, and provide encryptedPayload of the card.
How can we construct and encrypt this object from the vCardId? Is there some specification on this payload and method of encryption. Should this operation be done on mobile or server side(due to sensitivity of the encryption keys).

Another concern is PCI compliance. If the content being encrypted needs to contain a PAN, our server is not PCI compliant so it cant read a PAN from the API of the issuer. 

3 REPLIES 3
SyedSa
Community Moderator

Re: In-App-Provisioning using Enroll Card API and VDEP SDK

Hi @tom_dcsinnov, Thank you for reaching out. An agent will get back to you as soon as possible. Until then, if any community member has information that may be helpful, feel free to reply in this thread.

API_Products
Visa Developer Support Specialist

Re: In-App-Provisioning using Enroll Card API and VDEP SDK

Hey @tom_dcsinnov,

 

Thanks for reaching out to Visa Developer Support. I have an excellent resource for discussing your Visa In-App Provisioning questions that I'd like to introduce to you. Their names are Anup and Shahzad and I've included them on this thread. Anup and Shahzad are very knowledgeable and friendly so I’m sure you’ll enjoy working with them. Please reach out to Anup and Shahzad if you have questions and they will be happy to help.

 

Please find below the test data.

 

***************************************************************************************

Encryption Key

 

 

VisaPublicKey_ForEncryption_Sbx_Cert.pem

Visa Public Key used in JWE Asymmetric Encryption.

Q2AY3V5E3ICNBUU66D8K11hBmzqdXSvTiNzZ-YnpozWRXTo50

KID – To be used in JWE Header

 

Test Data – VDP Sandbox  (sandbox.api.visa.com)

 

Google Pay

 

PAN

 

X51X23XX20053999 – Replace X with 4

X51X231XX7208143

deviceID

uztEQocBRFrbK5hCgcDbxqw_

 

 

Apple Pay

 

PAN

 

45X42344X3926268 – Replace X with 1

45X4236833852412

deviceCert

MIID/TCCA6OgAwIBAgIIMq/qUa9Z2nMwCgYIKoZIzj0EAwIwgYAxNDAyBgNVBAMMK0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zIENBIC0gRzIxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xODA2MDEyMjAzMTBaFw0yMDA2MzAyMjAzMTBaMGwxNTAzBgNVBAMMLGVjYy1jcnlwdG8tc2VydmljZXMtZW5jaXBoZXJtZW50X1VDNi1TQU5EQk9YMREwDwYDVQQLDAhBcHBsZVBheTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGiJjmEMmvOZBGj+tdj2ED7xnc9y1C0vNVaqZva7lvKkbgrfcWdo0/NdIJZ5wDcZ0eBtPuRJ+q/eSP9FLXQ19wo4ICGDCCAhQwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSEtoTMOoZichZZlOgao71I3zrfCzBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGV3d2RyY2EyMDUwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxld3dkcmNhMi5jcmwwHQYDVR0OBBYEFMNruSHk5gH1LauD+wBI/9sgl/VpMA4GA1UdDwEB/wQEAwIDKDASBgkqhkiG92NkBicBAf8EAgUAMAoGCCqGSM49BAMCA0gAMEUCIQDhL+sL9bcrvAVO3UvswA805EHujfL7iVDrbEuJfOSJoAIgBPKehtuILl9x/SJ5kxReiml1zkJqUB8nTy0UOfUNIIQ=

nonceSignature

QHuLYArUCO2OZevP0rHc99g9RJp4O1dgsZuVpUdlA7zPWqCDhVQo9Mxr1uPS6GVyjZYo3YElIhHRV4Mv3wEJ3hGOaxK1gResup88QWDK1fL0

nonce

kauVuA==

 

Sample Card Object

 

Card Object

 

"accountNumber": "451X234413926268", 

"nameOnCard": "Google", 

"expirationDate": { 

            "month": "12", 

            "year": "2022" 

}, 

"cvv2": "533", 

"billingAddress": { 

            "name": "shankar", 

            "line1": "12301 Research Boulevard", 

            "line2": "Research Boulevard", 

            "line3": "Visa USA", 

            "city": "Austin", 

            "state": "TX", 

            "countryCode": "US", 

            "postalCode": "78759" 

}

************************************************************************************

 

To push provision a card to a Google or Apple Pay wallet using the Enroll Card API and VDEP SDK on the Visa Developer platform, you need to follow a specific implementation flow. Here’s a detailed guide on how to achieve this, addressing your concerns about constructing and encrypting the payload and PCI compliance.

 

1. Use the Enroll Card API:
- Firstly, you need to use the Enroll Card API to enroll the card and receive the `vCardId`.

2. GetSupportedWallets method:
- From your mobile app, call the `GetSupportedWallets` method provided by the VDEP SDK to determine which wallets (Google Pay, Apple Pay) are supported.

3. Construct and Encrypt the Payload:
- The payload that needs to be constructed from the `vCardId` must be encrypted before sending it to the mobile app. This should ideally be done on the server-side due to the sensitivity of the encryption keys and to maintain security.
- The encryption method and payload structure are specified in the VDEP SDK documentation. It typically involves using encryption keys provided by Visa or the wallet provider.

4. Encryption Specification:
- The encrypted payload should include details such as the PAN (Primary Account Number), expiration date, and other card details. This sensitive information must be encrypted using the specified encryption algorithms and keys.
- Refer to the [Visa Developer Documentation](https://developer.visa.com/) for exact specifications on how to construct and encrypt this payload.

5. PCI Compliance:
- Since your server is not PCI compliant, it should not handle or read the PAN directly. Instead, use Visa's services to handle sensitive card information.
- Visa provides tokenization services through which sensitive card details are converted into tokens. Your server can work with these tokens, which are PCI compliant.
- Ensure that the operation of constructing and encrypting the payload is done in a PCI compliant environment if it involves handling PAN or other sensitive information.

6. Server-Side Implementation:
- Implement server-side logic to construct the payload using the `vCardId`, then encrypt the payload using the encryption keys.
- Send the encrypted payload to the mobile app, where it can be used to provision the card to the wallet.

 

Here is a high-level implementation flow:

1. Enroll Card:
- Send a request to Enroll Card API and receive the `vCardId`.

2. Construct Payload:
- On the server-side, construct the payload including necessary card details.

3. Encrypt Payload:
- Encrypt the payload using the specified encryption method and keys.

4. Send Encrypted Payload:
- Send the encrypted payload to the mobile app.

5. Provision Card:
- Use the VDEP SDK on the mobile app to provision the card to the supported wallet using the encrypted payload.

 

For specific details on constructing and encrypting the payload, refer to the SDK documentation and API specifications on the Visa Developer Platform (https://developer.visa.com/).




Thanks,

Diana



Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

tom_dcsinnov
Occasional Visitor

Re: In-App-Provisioning using Enroll Card API and VDEP SDK

hello,

 

Thank you for the clarification of the flow. it's clear to me. 

Can you please clarify on this step?
4. Encryption Specification:
- The encrypted payload should include details such as the PAN (Primary Account Number), expiration date, and other card details. This sensitive information must be encrypted using the specified encryption algorithms and keys.

Is the PAN needed in case we have the vCardId in the encryption payload? Because the whole point of using the vCardId is for us to reduce the need to read the PAN due to PCI compliance.

Thank you so much