Documentation
thredd.comDocumentation Portal
Start typing to search…

Get Card Data

The Get Card Data endpoint enables you to share secure card data to a cardholder's device.

You can get encrypted data by making a POST request to the Get Card Data endpoint. For example:

{{base-url}}/cards/{{PublicToken}}/encrypted

The device-generated session key must be included in the request body to the endpoint. The value of the key is a base64 encoded string, comprising of an AES key that you've encrypted (see with your company specific public RSA key provided to you by Thredd.

📘

Note

If you are not PCI DSS compliant then the key must be generated and encrypted on the device.

📘

Note

For information on how to create and encrypt your AES Key, see Introduction to Sending Secure Data.

When you have the encoded key, add it to the request body. See the below example with the optional fields included. Adding valid paddingMode, encryptionKeyLength and hashingAlgorithm fields to the request determines how the payload is encrypted in the response.

{
  "key": "a6hse8g8wspi5mgtZfLshBJYuMbW3x8jpSqNlOxnk3r5eoDd2z0XB/5/OtJDixJCA1XbxhZWu9Tm601mA6jJKED3+E+VRiwz9IVxPGi9+RSvCp8KXWCoun1vZovVRaufXN4QNNuA3iBYyy/6D8wYpDl/3rtCLE3VdZ+L0dFdX22SSeS23T2BhaZJD0jq3XSqyJnmgdElNsX9nerL6mTkhTCvEuJYom9Pv/MolWnXtZ/jhghZxEjZogmN1zOsoeB6BlMMPD+fUgGNpJH8nkdKPqN8bM+sfD4oiT9VsQeUVnrFd5jzzlZDc7J+PBIE9w6tYg93IaEQf452y7E2eZRIwA==",
  "paddingMode": "PKCS1_5",
  "encryptionKeyLength": "Rsa2048",
  "hashingAlgorithm": "Sha256"
}

The below table describes the behaviour of the encrypted response for each request variation.

RequestResponse
Key with no paddingMode, encryptionKeyLength or hashingAlgorithm included in the request.EncryptedPayload field is encrypted with the AES-CBC mode.
Key with paddingMode set to PCKS1_5.EncryptedPayload field is encrypted with the AES-CBC mode.
Key with encryptionKeyLength set to Rsa2048.EncryptedPayload field is encrypted with the AES-CBC mode.
Key with hashingAlgorithm set to Sha256.EncryptedPayload field is encrypted with the AES-CBC mode.
Key with paddingMode set to PCKS1_5 and encryptionKeyLength set to Rsa2048.EncryptedPayload field is encrypted with the AES-CBC mode.
Key with paddingMode set to PCKS1_5 and encryptionKeyLength set to Rsa4096.EncryptedPayload field is encrypted using a 4096 key, padded with specified mode.
Key with paddingMode set to PCKS2_2, encryptionKeyLength set to Rsa2048, and hashingAlgorithm set to Sha256.EncryptedPayload field is encrypted using a 2048 key, padded and hashed with specified mode.
Key with paddingMode set to PCKS2_2, encryptionKeyLength set to Rsa4096, and hashingAlgorithm set to Sha256.EncryptedPayload field is encrypted using a 4096 key, padded and hashed with specified mode.
Key with paddingMode set to PCKS2_2, encryptionKeyLength set to Rsa2048, and hashingAlgorithm set to Sha512.EncryptedPayload field is encrypted using a 2048 key, padded and hashed with specified mode.
Key with paddingMode set to PCKS2_2, encryptionKeyLength set to Rsa4096, and hashingAlgorithm set to Sha512.EncryptedPayload field is encrypted using a 4096 key, padded and hashed with specified mode.

A successful response will return a HTTP 200 response code, as in the following example response:

{
    "iv": "6gq/DgXSllG/U+fVjlWV6Q==",
    "encryptedPayload": "shLEyy/H/6BYqS3zI9oHI0UBaK2x6s0ZPWRITkZYFItBN8p+UDc/xX0binhN9J7LbNAIt4LkBv2n3MSKs3+3Gg==",
    "signatureOfPayloadAndIv": "mk0GpVNR6ksQFpWS5m4boCS8WJSB4Popuikce+W0eubFH2vMcQ3XyASqnG0rKNaKW0MbgI7V6u5ZkbPllhroczn01ZhZAwYUWPD72KFpe4bBZjAjzdPkBzYc2SBybUBRey/5Q2VuGGlBG0hw/LmHRfOqCh1sA9EFE/c06jjCvGcqPmV6dAIKzE6/JK8oG+9JU89b+cznuKAJPa/qhX1f0VZkLriXMTu7Fv6wPF0gFnETDJJW0J/va7O5zynlvxYs86umP2h5MM2+/RgFzPOnleeE5mczlPGPtFS+KRuUWAQL2CwnWI+JLMEAeUngFE3wWic8h8GzIEVpWPeuNcaPxA=="
}

📘

Verifying the Signature

To verify the signature (to ensure the message and data has come from Thredd), you will need to decode each field and combine the EncryptedPayload & IV byte arrays together in that order. You should then verify this combined array against the signature using the generic Thredd public RSA key.

📘

Note

Thredd uses AES-CBC for encryption. When decrypting the response, ensure that you use AES-CBC.

To extract the card data, use the IV with the unencrypted AES key to decrypt the EncryptedData from the response into a decrypted data object. See the below example:

{
    "PAN": "9999990146686890",
    "CVV": "684"
}

Updated 15 days ago