Payment Data Encryption

Never send raw card data directly to your backend or our API. All sensitive payment information must be encrypted client-side before transmission.
Protecting customer payment information is critical. Our API uses strong encryption to safeguard sensitive data. This guide explains how to securely handle encryption for card data in your integration.

Fetching Encryption Keys

To encrypt sensitive card information, you first need to retrieve your unique encryption keys. Make a GET request to: 
GET /payment-sessions/encryption-keys/:mode
Parameters
mode
string
required
Environment Mode. Available Values: live, test
Successful Response (200 OK): 
{
  "data": {
    "encryption_key": "67634cc972d2433b8725c8f6fbfdf792"
  }
}
Error Response (400 Bad Request): Indicates an issue with the request, such as an invalid mode.

Encryption Process

When handling sensitive card data, follow these steps:
  1. Fetch the encryption key for your environment (test/live)
  2. Format the card data as a JSON string
  3. Generate a random initialization vector (IV)
  4. Encrypt the data using AES-256-GCM with your encryption key and IV
  5. Concatenate the hex-encoded IV, ciphertext, and authentication tag
  6. Send the encrypted data to our API
Never send raw card data directly to your backend or our API. Always encrypt it first on the client-side.

Code Examples

function card_encrypt($payload, $key) {
    $iv = openssl_random_pseudo_bytes(16);
    $cipher_text = openssl_encrypt(
        $payload, 
        "aes-256-gcm", 
        $key, 
        OPENSSL_RAW_DATA, 
        $iv, 
        $tag
    );
    return implode(':', [
        bin2hex($iv),
        bin2hex($cipher_text),
        bin2hex($tag)
    ]);
}

// Example usage
$card_data = json_encode([
    'card_number' => '4111111111111111',
    'expiry_month' => '12',
    'expiry_year' => '2025',
    'cvv' => '123'
]);
$encrypted = card_encrypt($card_data, $encryption_key);

Security Best Practices

Troubleshooting Guide