We're excited to announce a new addition to our developer resources. Our CardConnect Developer Guides provide additional information for integrating CardConnect products and services.

You can browse the whole library at https://developer.cardconnect.com/guides/home, or jump right to the CardSecure Tokenization Developer Guides to make the most of your CardSecure integration.

Overview

CardSecure is CardConnect's sensitive data encryption and tokenization service. Our new JSON API provides an even simpler integration to CardSecure. 

CardSecure allows you to securely accept and tokenize payment card, ACH (eCheck), and mobile wallet data to ensure the safety of your customers' sensitive payment data.

This guide provides information for developers looking to integrate CardSecure's tokenization and encryption methods using the CardSecure API. For information on integrating CardSecure with your iOS or Android mobile application, see Tokenizing Using CardSecure Mobile SDKs.

If you're already integrating the legacy CardSecure API with your application, see the Legacy CardSecure API Developer Guide.

What's New?

Date Updated: 8/12/2019

This release includes the following updates:

Support for CVV and Expiry

CardSecure now supports tokenizing the CVV and Expiry values for payment cards.

The CVV and Expiry values are stored in the token until the token is used in an authorization attempt, after which this information is cleared from the token.

The tokenize request now supports the following optional parameters:

FieldContentMax LengthDescription
cvvCard Verification Value4

Optional, the card verification value (CVV).

Must be a 3 or 4 character numeric string.

Alphanumeric and special characters are not supported.

Strings greater than 4 characters or fewer than 3 characters are not supported.

expiryCard Expiration8

Optional, the card expiration date.

Must be a numeric string.

Must be formatted as

  • MMYY
  • YYYYMM
  • YYYYMMDD

Support for Google Pay

CardSecure now supports tokenizing Google Pay wallet account data. 

To tokenize a Google Pay account, use the devicedata parameter to pass the Google Pay data, and use the encryptionhandler parameter to pass the value "EC_GOOGLE_PAY" to allow CardSecure to decrypt and handle the encrypted payload.

See the tokenize request description for more information and an example. 

See the Google Pay Developer Guide for detailed information on integrating Google Pay acceptance with a mobile app.

REST Implementation

The CardSecure web service uses the JSON (JavaScript Object Notation) method of encoding data for transmission via the HTTP network protocol. Most programming languages have libraries to convert an arbitrary object to and from a JSON data transfer encoding.

The CardSecure API provides a library of POST operations used to submit HTTP requests to the web service. Responses are returned in JSON objects. See CardSecure API Service Endpoints for detailed information on the supported request types and corresponding responses.

Tokenizing and Encrypting PAN Data

CardSecure provides encryption and tokenization services with a secure data vault typically used to store payment card Primary Account Numbers (aka PANs) in a PCI-DSS compliant manner. CardSecure generates a unique and random token value to be used by your application instead of a clear or encrypted PAN, potentially reducing PCI scope considerably.

If your application is using a database with sufficient encryption, CardSecure can tokenize data without additional encryption.

See Understanding CardConnect Tokens for detailed information for working with tokens.

Tokenizing Card-Present Transactions

CardSecure supports tokenization of card data captured using an encrypted credit card reader or terminal. For a list of supported terminal devices, see https://support.cardconnect.com/device-integration.

When a credit card is swiped or inserted at a supported terminal, the extracted encrypted data can be submitted to CardSecure for direct tokenization.

CardSecure does not support passing unencrypted track data. The encrypted data extracted from the device must be produced from a device pre-injected with a CardConnect Security Key. If testing is required using non-encrypted track, the data can be tokenized via the CardConnect gateway (as part of an authorization), or the Personal Account Number (PAN) must be parsed and sent directly with a tokenization request.

CardSecure decrypts the encrypted swipe data and generates a token for the card number. CardSecure also stores the card’s encrypted track data for a short period of time, after which it is discarded. The default retention period for track data is 24 hours.

If the token is used in an authorization request to the CardPointe Gateway during this retention period, the stored track data associated with the token is sent to the processor; this potentially allows the transaction to run as a "card present" transaction. The track data is discarded after the authorization request, and can only be used in a single request.

Encrypting and Tokenizing Payment Account Data

CardSecure allows clients to encrypt the account data (PAN or ACH) sent in a tokenization request using a site-specific RSA public key. CardConnect generates a unique RSA key pair, provides the public key (in X.509 format) to the client, and retains the private key.

Data must be encrypted using RSA encryption in ECB mode with PKCS1 padding. 

Depending on the encryption utility used, the encrypted data might be Base64-encoded. In this case, the string can be URL-encoded and sent to CS for tokenization. Otherwise, you must Base64-encode the data before submitting the tokenization request.

CardSecure uses the corresponding private key to tokenize and decrypt the data. The decrypted data is temporarily stored in CardSecure's vault, and the token (generated from the encrypted data) is returned to your application for use in an authorization request to the CardPointe Gateway. Note that the token itself is not encrypted.

Note the following restrictions:

  • CardSecure only supports encrypted Personal Account Number (PAN) or ACH (eCheck) data. Track data is not supported in an encryption request.
  • CardSecure encryption is not supported for use with CardConnect P2PE devices (Ingenico or IDTECH) due to the encryption key already configured within the terminals.

Developer Resources

The following resources are available to simplify your integration.

CardConnect Developer Guides

Our CardConnect Developer Guides provide additional information for integrating CardConnect products and services.

You can browse the whole library at https://developer.cardconnect.com/guides/home, or jump right to the CardSecure Tokenization Developer Guides for more information on integrating CardSecure with your solution.

Sample Postman Collection

To help you get started with your integration, CardConnect, provides a sample Postman Collection that includes a template of the CardSecure API service endpoints.

The CardSecure API Integration collection includes an API reference document as well as a sample Environment, to simplify your integration.

Click the button below to download the CardSecure API Integration collection:

Run in Postman

Configuring Your Postman Environment

Environment variables allow you to autofill select fields with pre-configured values. Set the {{site}} variable to the site value provided by CardConnect.

CardSecure API Service Endpoints

The following table lists the CardSecure API service endpoints and their functions. These endpoints are described in greater detail in the following sections.

Complete List of CardSecure API Service Endpoints

ServiceAPI VersionDescription
tokenizev1Tokenizes sensitive data provided in the request, and returns a CardSecure token.
echov1Sends a ping command to the CardSecure server to verify the connection.

tokenize

A request to the tokenize endpoint returns a CardSecure token generated from the data provided in the request.

A tokenize request includes payment account data in either the account or devicedata field. 

Use the account field to provide a clear or encrypted payment account number (PAN) or ACH account number (in the format <routing>/<account>). 

If the account data is encrypted, include the encryptionhandler parameter to instruct CardSecure to decrypt the data using the private key for your site.

Use the devicedata field to provide track data received from a terminal device for an MSR (swipe), EMV (chip), or NFC (contactless) transaction, or a digital wallet payload (for example for a Google Pay transaction).

The tokenize response includes a token generated from the account data. You can then use this token to submit an authorization request to the CardPointe Gateway.

Endpoint URL

The URL for the tokenize endpoint is:

https://<site>.cardconnect.com:<port>/cardsecure/api/v1/ccn/tokenize

Request Header

The following key/value pair is required in the request header:

KeyValue
Content-Typeapplication/json

Request Parameters

Fields in bold are required.

Either account or devicedata are required. Use account when manually entering encrypted or clear PANs. Use devicedata when capturing card data from a card reader or terminal device.

FieldDescription
accountOne of the following:
  • A clear or encrypted payment account number (PAN)
  • An ACH routing and account number string in the format <routing>/<account> for eCheck transactions

If encryptionhandler is provided, the account is treated as an encrypted PAN.
devicedata
One of the following:
  • Encrypted track data retrieved using a card reader or terminal device (MSR/EMV/NFC)
  • Google Pay wallet payload
cvvOptional, the card verification value (CVV).

Must be a 3 or 4 character numeric string.

Alphanumeric and special characters are not supported.


Strings greater than 4 characters or fewer than 3 characters are not supported.

expiryOptional, the card expiration date.

Must be a numeric string.

Must be formatted as

  • MMYY
  • YYYYMM
  • YYYYMMDD
signatureSignature data, if captured. Data must be a Base64-encoded, Gzipped bitmap (BMP).
encryptionhandlerOne of the following :
  • For an encrypted PAN or ACH, specify RSA
  • For a Google Pay wallet payload, specify EC_GOOGLE_PAY
uniqueSpecifies whether or not a unique token should be generated.

Specify true to generate a unique token.

Defaults to false.

Response Parameters

FieldDescription
messageThe status of the request.

Returns "No Error" if the request was successful.

Returns a descriptive error message if the request failed.

See Error Codes and Messages for a complete list of possible error codes and messages.
errorcodeAn error code, if the request encountered an error. 

Returns "0" if the request was successful.

See Error Codes and Messages for a complete list of possible error codes and messages.
tokenThe token generated from the request data.

echo

A call to the echo service endpoint sends a ping command to the CardSecure server to verify the application's connection. You can include a message in the request, which is returned in the response if the request is successful. If the request fails, an error message is returned with a corresponding error code.

Endpoint URL

The URL for the tokenize endpoint is:

https://<site>.cardconnect.com:<port>/cardsecure/api/v1/echo

Request Header

The following key/value pair is required in the request header:

KeyValue
Content-Typeapplication/json

Request Parameters

Fields in bold are required.

FieldDescription
messageA message to send in the ping request and receive in the response. The value can be blank, however the message field must be included in the request.

Response Parameters

FieldDescription
messageThe message value included in the request.

Returns a descriptive error message if the request failed.

See Error Codes and Messages for a complete list of possible error codes and messages.
errorcodeAn error code, if the request encountered an error.

Returns "0" if the request was successful.

See Error Codes and Messages for a complete list of possible error codes and messages.

Error Codes and Messages

The CardSecure server generates error messages to its log file for various conditions. If a request encounters an error, an error code and corresponding message are returned in a response to the calling application.

The following table lists all errors generated by CardSecure.

All error codes contain four digits. Two zeros precede the codes listed below.

CardSecure Error Codes and Messages

Error Code Reason
00No error.
03 Wrong version number.
07 Invalid action.
08 Data is not decimal digits.
12 Key ID is not found.
13 Data is too long.
14 Data is empty.
16 Unknown algorithm.
17 Encryption failure.
19 Base 64 decode failure.
20 Crypto data is the wrong length.
21 Data is too short.
22 CCN wrong length on decryption.
24Decryption failure.
25 Bad PKCS 5 padding.
26 Bad decrypted length field.
27 Keystore not initialized.
33 Application not initialized.
35 Buffer too short.
38 Illegal characters.
39 Wrong message length.
43 Server failed.
44 Config item is bad.
46 Token database problem.
47 Unauthorized host.
48 Token purged.
49 Data not found.
50 Error hashing the value.
53 Token or data duplicate.
54 Card number check (Luhn formula) failed.
55 Missing or unknown site name.
56 Token format is bad.
57 Request signature is invalid.
58 Request signature timestamp expired.
59 Request signature mismatch.
60 Request signature failure.
61 PIN translation failure.
63 Keystore import failure.
64 Keystore userstore failure.
65 Keystore invalid processor.
66 Unauthorized terminal.
68 Keystore rollback failure.
71 Unauthorized decrypt.
72 Invalid EMV tag data.
73 EMV tag data empty.
74 Missing required parameter.
75 Invalid elliptic curve type parameter.
76 JSON serialization error.
77 JSON deserialization error.
78 Invalid swipe data.