Card data encryption

Card data encryption and key wrapping

MeaWallet’s Token Platform provide multiple ways to digitize a card. One of those methods is digitization with encrypted card data. In this case, an issuer encrypts the data at its back-end, and then sends encrypted card data to its own mobile app (proprietary delivery mechanism), and mobile app provides it to the MeaWallet’s SDK or sends directly to MeaWallet’s backend API for decryption.

This approach is often used in cases where the issuer does not want any backend integrations with the MTP. Therefore, encryption with the right keys in those cases also act as approval for the digitization.


  1. MeaWallet generates Public Private key pair

  2. MeaWallet shares public key with the issuer (in a format of CSR)

  3. Issuer stores the key for card digitization in future

High-level steps

  1. When card needs to sent, the issuer generates AES-256 bit key one-time/secret key (SK)

  2. Encrypts the JSON-formatted card data with this one-time/secret key

  3. Encrypt (wrap) the one-time/secret key (SK) with MeaWallet’s Public Key

  4. Send encrypted payload with encrypted secret key to either (depending on case):

    a) the mobile device where it is forwarded to the MeaWallet SDK; or

    b) send directly to MeaWallet backend API

  5. MTP decrypts the payload and uses received card dat

How to build the payload


Sensitive data encryption
  • Key Length = 256 bits
  • Algorithm = AES
  • Block Cipher Mode = CBC
  • Padding = PKCS#5/PKCS#7
Encryption of the key
  • Key length = 4096 bits
  • Algorithm = RSA
  • Block Cipher Mode: ECB
  • Padding = PKCS#1 v2.2 OAEP method
  • OAEP Mask Generation Function: MGF1
  • OAEP Mask Generation Function Hash Algorithm = SHA-512
  • OAEP Parameters = none

Below is a sample of Java implementation with sample/demo data. However, it’s expected from the PCI-DSS compliant issuer to use Hardware Security Module when encrypting the card data.

On this page