CardSecure is CardConnect's sensitive data encryption and tokenization service. Our new JSON API provides an even simpler integration to CardSecure.
CardSecure allows you to securely accept and tokenize payment card, ACH (eCheck), and mobile wallet data to ensure the safety of your customers' sensitive payment data.
This guide provides information for developers looking to integrate CardSecure's tokenization and encryption methods using the CardSecure API. For information on integrating CardSecure with your iOS or Android mobile application, see Tokenizing Using Bolt Mobile SDKs.
Visit status.cardconnect.com and click subscribe to updates to receive important release and status notifications.
Date Updated: 2/6/2020
This release includes the following updates:
Apple Pay Support
The CardSecure API now supports tokenizing Apple Pay payment tokens. Previously, this was only supported using the legacy API HTTP methods.
To tokenize Apple Pay payment tokens, make a request to the tokenize endpoint using the Apple Pay payment token parameters in the devicedata field, and specify EC_APPLE_PAY in the encryptionhandler field, as follows:
See the tokenize description for a complete example, and see the Apple Pay Developer Guide for detailed information on integrating support for Apple Pay, and formatting the payment token string for CardSecure.
Update a Token with CVV and Expiry
The CardSecure API now supports the ability to update a payment card token to include the CVV and expiration date associated with the card.
Note: If you use a card reader or terminal to capture track data, you should not use this method. Updating the token may delete the track data, making the token unusable.
To update a token, make a subsequent request to the tokenize endpoint using the token in the account parameter, and include the cvv and expiry parameters, as follows:
CardSecure now supports tokenizing the CVV and Expiry values for payment cards.
The CVV and Expiry values are stored in the token until the token is used in an authorization attempt, after which this information is cleared from the token.
The tokenize request now supports the following optional parameters:
Card Verification Value
Optional, the card verification value (CVV).
Must be a 3 or 4 character numeric string.
Alphanumeric and special characters are not supported.
Strings greater than 4 characters or fewer than 3 characters are not supported.
Optional, the card expiration date.
Must be a numeric string.
Must be formatted as
Support for Google Pay
CardSecure now supports tokenizing Google Pay wallet account data.
To tokenize a Google Pay account, use the devicedata parameter to pass the Google Pay data, and use the encryptionhandler parameter to pass the value "EC_GOOGLE_PAY" to allow CardSecure to decrypt and handle the encrypted payload.
The CardSecure API provides a library of POST operations used to submit HTTP requests to the web service. Responses are returned in JSON objects. See CardSecure API Service Endpoints for detailed information on the supported request types and corresponding responses.
Tokenizing and Encrypting PAN Data
You should only use CardSecure to programmatically handle and tokenize clear payment account numbers (PANs) if your business is a registered PCI Level 1 or Level 2 certified merchant. If you are not already certified for compliance with the Payment Card Industry's standards and guidelines for handling sensitive account data, see https://www.pcisecuritystandards.org/ for more information.
Additionally, you can integrate the Hosted iFrame Tokenizer with your solution to safely handle and tokenize clear PANs without increasing your business' scope of PCI compliance.
CardSecure provides encryption and tokenization services with a secure data vault typically used to store payment card Primary Account Numbers (aka PANs) in a PCI-DSS compliant manner. CardSecure generates a unique and random token value to be used by your application instead of a clear or encrypted PAN, potentially reducing PCI scope considerably.
If your application is using a database with sufficient encryption, CardSecure can tokenize data without additional encryption.
When a credit card is swiped or inserted at a supported terminal, the extracted encrypted data can be submitted to CardSecure for direct tokenization.
CardSecure does not support passing unencrypted track data. The encrypted data extracted from the device must be produced from a device pre-injected with a CardConnect Security Key. If testing is required using non-encrypted track, the data can be tokenized via the CardConnect gateway (as part of an authorization), or the Personal Account Number (PAN) must be parsed and sent directly with a tokenization request.
CardSecure decrypts the encrypted swipe data and generates a token for the card number. CardSecure also stores the card’s encrypted track data for a short period of time, after which it is discarded.
If the token is used in an authorization request to the CardPointe Gateway during this retention period, the stored track data associated with the token is sent to the processor; this potentially allows the transaction to run as a "card present" transaction. The track data is discarded after the authorization request, and can only be used in a single request.
Encrypting and Tokenizing Payment Account Data
CardSecure allows clients to encrypt the account data (PAN or ACH) sent in a tokenization request using a site-specific RSA public key. CardConnect generates a unique RSA key pair, provides the public key (in X.509 format) to the client, and retains the private key.
Data must be encrypted using RSA encryption in ECB mode with PKCS1 padding.
Depending on the encryption utility used, the encrypted data might be Base64-encoded. In this case, the string can be URL-encoded and sent to CardSecure for tokenization. Otherwise, you must Base64-encode the data before submitting the tokenization request.
CardSecure uses the corresponding private key to decrypt the data. The decrypted data is temporarily stored in CardSecure's vault, and the token (generated from the encrypted data) is returned to your application for use in an authorization request to the CardPointe Gateway. Note that the token itself is not encrypted.
Note the following restrictions:
CardSecure only supports encrypted Personal Account Number (PAN) or ACH (eCheck) data. Track data is not supported in an encryption request.
CardSecure encryption is not supported for use with CardConnect P2PE devices (Ingenico or IDTECH) due to the encryption key already configured within the terminals.
The following resources are available to simplify your integration.
HTTP/1.1 200 OK
"message" : "No Error",
"errorcode" : 0,
"token" : "9417119164771111"
A request to the tokenize endpoint returns a CardSecure token generated from the data provided in the request.
A tokenize request includes payment account data in either the account or devicedata field.
Use the account field to provide a clear or encrypted payment account number (PAN) or ACH account number (in the format <routing>/<account>).
If the account data is encrypted, include the encryptionhandler parameter to instruct CardSecure to decrypt the data using the private key for your site.
Use the devicedata field to provide track data received from a terminal device for an MSR (swipe), EMV (chip), or NFC (contactless) transaction, or a digital wallet payload (for example for a Google Pay transaction).
A call to the echo service endpoint sends a ping command to the CardSecure server to verify the application's connection. You can include a message in the request, which is returned in the response if the request is successful. If the request fails, an error message is returned with a corresponding error code.
The CardSecure server generates error messages to its log file for various conditions. If a request encounters an error, an error code and corresponding message are returned in a response to the calling application.
The following table lists all errors generated by CardSecure.
All error codes contain four digits. Two zeros precede the codes listed below.