The Bank might not have access to the Card Number (PAN) or issuers and program managers do not issue a physical card, but they want user to see full card details through their app. Then MeaWallet as PCI-DSS approved authority can integrate and fetch card data from the bank’s 3rd party vendor (Issuer Processor) or another instance within the bank and deliver card data to the app. In such scenario the bank will provide virtual CARD_ID (For the GPS customers this is Public Token Id) and SECRET and MeaWallet will verify the SECRET and make a request to the 3rd party vendor to receive full card data.
Functional requirements and guidelines
- The user must perform authentication before requesting the data
- The card data must be specifically asked for by the cardholder (e.g. the user clicks a button)
- Card data can not be stored on the app/device. A new request must happen every time the cardholder requests the data
- The temporary storage/display of the card data should be removed and deleted when the session terminates or expires. For example:
- User leaves the card screen
- User logs out
- After 45-60 seconds
The bank needs to provide virtual CARD_ID (For the GPS customers this is Public Token Id) and SECRET, MeaWallet will verify the SECRET and make a request to the 3rd party vendor to receive full card data.
Guide for SECRET generation can be found at the How to Generate Time-based Secret page.
MeaWallet provides two solutions for card data retrieval from 3rd party vendors.
Workflow using MeaWallet Android and iOS mobile SDKs
Card Data API Sequence diagram without MeaWallet SDKs
Workflow like this can be used by the issuer’s online banking site or mobile applications when MeaWallet mobile SDKs are not an option. In this case issuer is implementing connection to MeaWallet Card Data API directly by themselves.
Usage of Card Data API is not necessary if MeaWallet Android SDK or iOS SDK is used in mobile application.
|PAN||Personal Account Number|
|PCI-DSS||Payment Card Industry Data Security Standard|