Hi all,
We are trying to figure out the implementation flow to push provision a card to a Google or Apple Pay wallet, by using vCardId sent from VISA API. According to SDK docs, we should call GetSupportedWallets method from mobile app, and provide encryptedPayload of the card.
How can we construct and encrypt this object from the vCardId? Is there some specification on this payload and method of encryption. Should this operation be done on mobile or server side(due to sensitivity of the encryption keys).
Another concern is PCI compliance. If the content being encrypted needs to contain a PAN, our server is not PCI compliant so it cant read a PAN from the API of the issuer.
Hi @tom_dcsinnov, Thank you for reaching out. An agent will get back to you as soon as possible. Until then, if any community member has information that may be helpful, feel free to reply in this thread.
Hey @tom_dcsinnov,
Thanks for reaching out to Visa Developer Support. I have an excellent resource for discussing your Visa In-App Provisioning questions that I'd like to introduce to you. Their names are Anup and Shahzad and I've included them on this thread. Anup and Shahzad are very knowledgeable and friendly so I’m sure you’ll enjoy working with them. Please reach out to Anup and Shahzad if you have questions and they will be happy to help.
Please find below the test data.
***************************************************************************************
Encryption Key
VisaPublicKey_ForEncryption_Sbx_Cert.pem |
Visa Public Key used in JWE Asymmetric Encryption. |
Q2AY3V5E3ICNBUU66D8K11hBmzqdXSvTiNzZ-YnpozWRXTo50 |
KID – To be used in JWE Header |
Test Data – VDP Sandbox (sandbox.api.visa.com)
Google Pay
PAN
|
X51X23XX20053999 – Replace X with 4 X51X231XX7208143 |
deviceID |
uztEQocBRFrbK5hCgcDbxqw_ |
Apple Pay
PAN
|
45X42344X3926268 – Replace X with 1 45X4236833852412 |
deviceCert |
MIID/TCCA6OgAwIBAgIIMq/qUa9Z2nMwCgYIKoZIzj0EAwIwgYAxNDAyBgNVBAMMK0FwcGxlIFdvcmxkd2lkZSBEZXZlbG9wZXIgUmVsYXRpb25zIENBIC0gRzIxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xODA2MDEyMjAzMTBaFw0yMDA2MzAyMjAzMTBaMGwxNTAzBgNVBAMMLGVjYy1jcnlwdG8tc2VydmljZXMtZW5jaXBoZXJtZW50X1VDNi1TQU5EQk9YMREwDwYDVQQLDAhBcHBsZVBheTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATGiJjmEMmvOZBGj+tdj2ED7xnc9y1C0vNVaqZva7lvKkbgrfcWdo0/NdIJZ5wDcZ0eBtPuRJ+q/eSP9FLXQ19wo4ICGDCCAhQwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSEtoTMOoZichZZlOgao71I3zrfCzBHBggrBgEFBQcBAQQ7MDkwNwYIKwYBBQUHMAGGK2h0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGV3d2RyY2EyMDUwggEdBgNVHSAEggEUMIIBEDCCAQwGCSqGSIb3Y2QFATCB/jCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA2BggrBgEFBQcCARYqaHR0cDovL3d3dy5hcHBsZS5jb20vY2VydGlmaWNhdGVhdXRob3JpdHkvMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuYXBwbGUuY29tL2FwcGxld3dkcmNhMi5jcmwwHQYDVR0OBBYEFMNruSHk5gH1LauD+wBI/9sgl/VpMA4GA1UdDwEB/wQEAwIDKDASBgkqhkiG92NkBicBAf8EAgUAMAoGCCqGSM49BAMCA0gAMEUCIQDhL+sL9bcrvAVO3UvswA805EHujfL7iVDrbEuJfOSJoAIgBPKehtuILl9x/SJ5kxReiml1zkJqUB8nTy0UOfUNIIQ= |
nonceSignature |
QHuLYArUCO2OZevP0rHc99g9RJp4O1dgsZuVpUdlA7zPWqCDhVQo9Mxr1uPS6GVyjZYo3YElIhHRV4Mv3wEJ3hGOaxK1gResup88QWDK1fL0 |
nonce |
kauVuA== |
Sample Card Object
Card Object
{
"accountNumber": "451X234413926268",
"nameOnCard": "Google",
"expirationDate": {
"month": "12",
"year": "2022"
},
"cvv2": "533",
"billingAddress": {
"name": "shankar",
"line1": "12301 Research Boulevard",
"line2": "Research Boulevard",
"line3": "Visa USA",
"city": "Austin",
"state": "TX",
"countryCode": "US",
"postalCode": "78759"
}
}
************************************************************************************
To push provision a card to a Google or Apple Pay wallet using the Enroll Card API and VDEP SDK on the Visa Developer platform, you need to follow a specific implementation flow. Here’s a detailed guide on how to achieve this, addressing your concerns about constructing and encrypting the payload and PCI compliance.
1. Use the Enroll Card API:
- Firstly, you need to use the Enroll Card API to enroll the card and receive the `vCardId`.
2. GetSupportedWallets method:
- From your mobile app, call the `GetSupportedWallets` method provided by the VDEP SDK to determine which wallets (Google Pay, Apple Pay) are supported.
3. Construct and Encrypt the Payload:
- The payload that needs to be constructed from the `vCardId` must be encrypted before sending it to the mobile app. This should ideally be done on the server-side due to the sensitivity of the encryption keys and to maintain security.
- The encryption method and payload structure are specified in the VDEP SDK documentation. It typically involves using encryption keys provided by Visa or the wallet provider.
4. Encryption Specification:
- The encrypted payload should include details such as the PAN (Primary Account Number), expiration date, and other card details. This sensitive information must be encrypted using the specified encryption algorithms and keys.
- Refer to the [Visa Developer Documentation](https://developer.visa.com/) for exact specifications on how to construct and encrypt this payload.
5. PCI Compliance:
- Since your server is not PCI compliant, it should not handle or read the PAN directly. Instead, use Visa's services to handle sensitive card information.
- Visa provides tokenization services through which sensitive card details are converted into tokens. Your server can work with these tokens, which are PCI compliant.
- Ensure that the operation of constructing and encrypting the payload is done in a PCI compliant environment if it involves handling PAN or other sensitive information.
6. Server-Side Implementation:
- Implement server-side logic to construct the payload using the `vCardId`, then encrypt the payload using the encryption keys.
- Send the encrypted payload to the mobile app, where it can be used to provision the card to the wallet.
Here is a high-level implementation flow:
1. Enroll Card:
- Send a request to Enroll Card API and receive the `vCardId`.
2. Construct Payload:
- On the server-side, construct the payload including necessary card details.
3. Encrypt Payload:
- Encrypt the payload using the specified encryption method and keys.
4. Send Encrypted Payload:
- Send the encrypted payload to the mobile app.
5. Provision Card:
- Use the VDEP SDK on the mobile app to provision the card to the supported wallet using the encrypted payload.
For specific details on constructing and encrypting the payload, refer to the SDK documentation and API specifications on the Visa Developer Platform (https://developer.visa.com/).
hello,
Thank you for the clarification of the flow. it's clear to me.
Can you please clarify on this step?
4. Encryption Specification:
- The encrypted payload should include details such as the PAN (Primary Account Number), expiration date, and other card details. This sensitive information must be encrypted using the specified encryption algorithms and keys.
Is the PAN needed in case we have the vCardId in the encryption payload? Because the whole point of using the vCardId is for us to reduce the need to read the PAN due to PCI compliance.
Thank you so much