Implementation Notes

Use the following notes as final implementation reminders when integrating the Secure Card Data flow.

• Use the secure-data flow only when actual sensitive card data must be delivered to the cardholder.
• Use a new AES-256 session key for every request.
• Keep the original AES session key only on the cardholder device or secure client application.
• Use the Payblr RSA-4096 Wrap Public Key to encrypt the AES session key.
• Do not use the Signing Public Key for encryption. It is only intended for response signature verification.
• Use the correct key set for the applicable environment. Do not use UAT keys in Production or Production keys in UAT.
• Verify the response signature before trusting or decrypting the response payload.
• Only encrypted data should reach backend services in this model.
• Store request and response references for troubleshooting, audit, and support purposes.