Docs
DocsAPI RestRecipesTutorialsHelp

Sensitive Data / Track Data Encryption

Asymmetric encryption, also known as public key encryption, will be used to encrypt the Track data. Aggregator will encrypt the track data using public key and pass the encrypted Track data to Fiserv Card Present API Module.

🚧

Important: One key, the Public Key, is used for encryption and the other, the Private Key, is for decryption. Aggregator will encrypt the data and Fiserv decrypt the data.

Card Present API will use JWE for encryption of sensitive data with the Aggregators

  • IEFT specification: draft-ietf-jose-json-web-encryption-40
  • JWE: The JWE specification standardizes the way to represent encrypted content in a JSON-based data structure.

Encryption certificates

Fiserv will create and share a public JWE pem certificate for every aggregator onboarded. Every certificate will be identified with a key identifier (KID).

Following field in the request message will be encrypted using public key. CP API Module will receive these field as encrypted.

  • Card Number
  • Card Code Value
  • Exp date (Month and Year)
  • Track Data

Key Rotation Process

According to Fiserv standards (Cryptographic Key Rotation Guide) the recommendation is to rotate the key, based on volume, every 2 years.

At least 90 days prior to the certificate expiration date, Fiserv will generate and share to the Aggregator a new public key and also send the new corresponding KID.

During a scheduled maintenance window, Fiserv will mark the new KID as the active one. The main goal of using a KID is to optimize the key rotation process.

It is expected that Fiserv remain using the old key for about a month, and then it will start denying transactions with the previous KID.

Encryption Example

The Aggregator will need to use a JWE payload and input the encrypted data on
"paymentCardProtected.encryptedData". Example:

{  
  "number": 4001100000001234,  
  "cvv": 1234,  
  "expiryDateMonth": 12,  
  "expiryDateYear": 2030,  
  "track1": "B4001100000001237^John/Doe                  ^26011110000123000",  
  "track2": "4001100000001237=2601111123400001230",  
  "track3": "4001100000001237=2601111123400001230"  
}


{  
  "typ": "JWT",  
  "alg": "RS256",  
   "kid": "fc470962-bd6db-0992-156f-47798ffb1d2"  
}

JWT Output:
To be filled on "paymentCardProtected.encryptedData"

Updated 5 months ago