For new mobile app integrations, we recommend using the Bolt Mobile SDKs to securely encrypt and tokenize customers' payment card data.
For integrators that do not require advanced features (like support for EMV, NFC, and PIN-Debit) CardConnect offers a simple integration to MagTek devices (USB or Mobile) for use in third-party applications.
By following the steps in this guide, you can successfully extract card data from a supported magstripe reader for authorization and/or tokenization.
CardConnect supports integrations to the following USB and mobile magstripe devices:
This guide describes integrations for both encrypted and unencrypted devices. Encrypted devices are injected with CardConnect encryption keys and procured by CardConnect's CardPointe Support Team.
- Retrieve track data from Magstripe Reader (MSR) device
- For mobile devices:
- Format pertinent data fields into pipe delimited string recognized by CardSecure and CardConnect.
- Send the string within a request to CardConnect servers in one of the following ways:
Retrieve Track Data from MSR
Encrypted MagTek USB Devices
When using CardConnect-encrypted MagnaSafe USB Readers, simply retrieve the track data as is and pass the entire string within the "track" parameter of an authorization request
Unencrypted MagTek USB Devices
When using unencrypted MagnaSafe USB Readers, only track 2 data (including sentinel characters) is required within the
track parameter of an authorization request.
The following string is an example of Track 2 data bring retrieved from an unencrypted USB reader:
Track 2 Data Structure
|Start Sentinel (SS)
||Indicates the beginning of Track 2; set to ";"
|Primary Account Number (PAN)
||up to 19 digits
||Always numerical; usually set to the credit/debit card number
|Field Separator (FS)
||Delimits Track 2 fields; set to "="
|Expiration Date (ED)
||Always in the format YYMM
|Service Code (SC)
||Indicates what types of charges can be accepted
|Discretionary Data (DD)
||Determined by card issuer--may include Card Code and/or PINs
|End Sentinel (ES)
||Indicates the end of Track 2; set to "?"
|Longitude Redundancy Check (LRC)
||Used to verify that Track 2 was read accurately
Track 2 Data cannot exceed 40 characters, including all sentinels, the field separator, and the LRC. The length of discretionary data is restricted as a result and tends to hold fairly short values.
Encrypted MagTek Mobile Devices
MagTek provides documentation, SDKs, and examples on their Support site that will help guide your integration with their Mobile MSR readers.
The following example response illustrates response data retrieved from a Visa card (acquirer's test card) through MagTek’s Android SDK demo:
Track1.Masked=%B4761730001000036^VISA ACQUIRER TEST CARD 03^1512201000000000000000000000000?
Card.Name=VISA ACQUIRER TEST CARD 03
Formatting Response Data Into a String
For mobile MagTek devices using the MagTek SDK, you must retrieve and construct a pipe delimited string in the format we recognize for Magtek. That string format is as follows (without the brackets):
Following this format, the pipe delimited string for the data retrieved in the above example is as follows:
%B4761730001000036^VISA ACQUIRER TEST CARD 03^1512201000000000000000000000000? ;4761730001000036=15122010000000000000|0600|7BB0FEC3FE7F0BE5C36829C3DDD05216536E03C4B4357C45DB6BCC4DBDC8FC6862D093B236BBCE552E913442431581E7592C551D0CBB77DF92606D178F4F5C4B8976387EE6A944DD|695FAB9426A69E126AECEB18D4D7389A7A3B6CFB612FE44A239C930CEB0D2A520E682AEDAAA79B64||||||9010010B1C067E000023||
Tokenization Request to CardSecure
The pipe delimited string must be URL Encoded and sent to CardSecure as follows:
A token is returned in response:
Authorization Request to CardConnect
You can submit either the encrypted string containing track data or a token from CardSecure in an authorization request to the CardConnect Gateway, as detailed below.
Authorization with Encrypted Track Data
Authorization with Unencrypted Track 2 data
Authorization with a CardConnect Token
When you retrieve a token from a card swipe, the token provided is stored with track data. The track data is sent with the first authorization that uses the token, resulting in a "card-present" qualification and discount rate.
The token should be populated in the "account" field.
Sample Request and Response Authorizations