Full PCI Data Access V2
Full PCI Data Access V2
GET /paymentInstruments
Private payment instrument data, such as the PAN, expiration date, and CVV can be made available via API to Partners based on their physical and virtual card configurations. Contact Green Dot if your program would like to consider implementing this API.
Partners can request the private payment instrument data for a specific payment instrument using the following API endpoint:
- GET /paymentInstruments/{paymentInstrumentIdentifier}?usage={usage}& pciData={pciDataArray}&IpAddress={IpAddress}
- “BaaS-Version: 2.0” indicated in header
Benefits
- Cardholder experience - Provide cardholders easy access to physical or virtual card details that can be used for online purchases, manual e-wallet provisioning, and mobile payments.
- Flexible payment methods - Ability for Partners to access full payment instrument data with third parties, such as push-to-card (or IFT) transactions over debit card rails.
How it Works
- Partner is configured to access private payment instrument data.
- Partner submits a request to GET /paymentInstruments/...
- Request must include the header value “BaaS-Version: 2.0” to point to applicable API version.
- New request parameters in URL string will indicate:
- Usage: Purpose of the private payment instrument data request
- PciData: The specific private payment instrument data points requested
- IpAddress: The cardholder’s IP Address (required if usage=cardholder)
iii. See Request Parameters for details. - Green Dot sends a response to the Partner containing the encrypted private payment instrument data.
- Partner accesses private payment instrument data to:
- Display to cardholder: Cardholder views private payment instrument data and the event is logged and monitored by Green Dot.
- Partner usage: Partner uses private payment instrument data to initiate a transaction. Cardholder does not see display of private data.
Configuration Requirements
- Partners should ensure they are Payment Card Industry Data Security Standard (PCI) compliant or have completed the relevant PCI requirements.
- Partners should ensure they adhere to all relevant PCI requirements, such as not storing CVV information persistently.
- Partners must ensure that cardholders complete a successful authentication within 10 minutes of their request and the PCI data being displayed to end users.
- Partners must implement measures to prevent screen scraping, such as requiring a tap to display user action before displaying any PCI data.
- Partners will decrypt the encrypted data transmitted from Green Dot to access the full card details.
- Partners will need to request the appropriate configurations from Green Dot for both physical and virtual cards.
- All cardholder actions that result in a display of PCI data are logged (including cardholder IP address) appropriately on the Partner side as well.
Sample Requests
Endpoint: GET /paymentInstruments
Structure of API Call:
GET /paymentInstruments/programs/{programCode}/accounts/{accountIdentifier}/paymentInstruments/{paymentInstrumentIdentifier}?usage=cardholder&pcidata=pan,cvv,exp&ipAddress=127.0.0.1Sample Response
REQUEST
GET {{$host}}/baas/v1/programs/{programCode}/accounts/{accountIdentifier}/paymentInstruments/
{paymentInstrumentIdentifier}?usage=cardholder&pcidata=pan,cvv,exp&ipAddress=127.0.0.1
Content-Type: application/json
X-GD-RequestId: {{$guid}}
BaaS-Version: 2.0 ### WILL BE REQUIRED TO ACCESS API VERSION 2.0
{
"paymentInstrument":{
"encryptedPrivatePaymentInstrumentData":{
"version":"EC_v1",
"ephemeralPublicKey":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEWQyizlkN8/ZHSVMRDub1lwFuWzHWuFQ6rXUtAMOvQUiLxTBfzrw8XHlqe3PdxfeEA+Gq67E4TK0Bbt78ximFXw==",
"publicKeyHash":"pD35siZ5RZWxW+zxEoZzbB0BMrhpTqQUYVMXchC5aC4=",
"data":"BF9pkBjf0qGTksE0TdRUCoSR5LAYJrhyVdL4kMaysk0E11xPylAoschJqdOwhJpgsVzK/nuF/qZfo7RFvg8yNd28C4TrsPnONhVfNr0iRPqwQ81jionJE6/z9vCK"
},
"paymentIdentifier":"9da28b7d-876c-41f7-9e07-efc0b6095905",
"paymentInstrumentIdentifier":"935f4eb2-458f-42c2-889f-d383ae2e6d75",
"paymentInstrumentType":"emv",
"status":"activated",
"isPinSet":true,
"last4Pan":"2777",
"activatedDateTime":"2021-01-28T03:39:16Z",
"issuedDateTime":"2021-01-28T03:38:58Z",
"isPrivateDataViewable":true,
"embossedName":"UrKLLvhy lRxPuPyt"
### DECRYPTED PAYLOAD
{
"pan":"4111999999991234",
"cvv":"123",
"expiration":{
"month":"12",
"year":"2020"
}
}
},
"responseDetails":[
{
"code":0,
"subCode":0,
"description":"Success",
"url":"http://tbd"
}
]
}
Request Parameters
| Parameter Name | Type | Allowed Values | Notes |
|---|---|---|---|
| usage | enum | cardholder partner | cardholder=data retrieved from this API call will be shown directly to the cardholder. partner=data retrieved from this API call will be used for partners own workflow and not directly shown to the cardholder. |
| pciData | array of enum | - pan - exp - cvv | Indicate which PCI secured data to return. - pan=card number (e.g. 16 digits on front of card) - exp=card expiration date (month & year) - cvv=card verification value (e.g. security code)Unencoded URL format should be comma separated list:pcidata=pan,cvv,exp |
| ipAddress | string | 192.168.0.1 2607:f0d0: 1002:0051: 0000:0000:0000:0004 | Cardholder mobile/web IP address if usage=cardholder. IP4 and IP6 format accepted. Required field if usage=cardholder. Optional field if usage=partner. |
Error Codes
| Error Scenario | Code | HTTP Status Code | Description |
|---|---|---|---|
| Partner is not configured for private payment instrument data | 365 | 400 | Please reach out to Partner Support to setup configuration. |
| Parameter missing | 200 | 400 | Required property missing or missing a value |
| Invalid format | 350 | 400 | The format of the string or number was invalid. Commonly related to IP address parameter. |
Voice Dial Functionality Feature for Multi-Factor Authentication Phone Call
This feature allows a customer to receive a phone call that recites and transcribes the MFA code so that the customer can enter it into the phone verification screen.
Sample Request for Voice Call
{
"verificationEventType":"registration",
"contactType":"Phone",
"contactHandle":"6554952560",
"accountIdentifier":"",
"firstName":"",
"lastName":"",
"productCode":"40002",
" CommunicationType":"VoiceCall"
}
Sample Response for Voice Call
{
"contactVerificationIdentifier":"d6a577b8-85db-4c55-b8ba-2281fb1ac07b",
"responseDetails":[
{
"code":0,
" subCode":0,
"description":"success",
"url":"http://tbd"
}
]
}
Partner Response Codes
| StatusCode | SubStatusCode | Message |
|---|---|---|
| 5 | 391 | A previous voice call was sent within 2 minutes |
| 5 | 392 | Calls are prohibited |
| 5 | 393 | Failed to call Twilio |
| 5 | 390 | The maximum number of Voice Calls within 24 hours has been exceeded |
| 600 | 0 | Invalid Communication Type |
Scenarios
| Condition | Action |
|---|---|
| ContactType is not Voicecall | Process the same as for SMS and email. |
| Phone is in Twilio Prohibited area codes | Return a Calls Prohibited error. |
| Exceeded voice call limit | Return a Call Limit Exceeded error. |
| Exceeded voice rate limit | Return a RateLimit exceeded error. |
| Latest record is not voice call, and expiration time is less than 3 minutes | Generate a new MFA code, call Twilio with PhoneNumber and MFACode, and return sessionCode. |
| Latest record is not voice call, and expiration time is more than 3 minutes | Call Twilio with PhoneNumber and MFACode and return sessionCode. |
| Latest record is voice call, and existing code is not expired | Call Twilio with PhoneNumber and MFACode and return sessionCode. |
| Latest record is voice call, and existing code is expired | Generate a new MFA code, call Twilio with PhoneNumber and MFACode, and return sessionCode. |
Updated about 22 hours ago