Credit card payments contain sensitive data that is sent over the network to the Payment System. It is important that the data is encrypted before sending over the network to the Payment System to limit the risk of leaking sensitive information. This page describes how client-side encryption can be integrated into the webshop. You need to be authorized to be able to use these endpoints, so make sure you have an access_token and use it as 'Bearer' token in your request as described here.

How does it work?

Some payment methods of the CM.com Online Payments API require specific data to be encrypted. This is needed when you integrate your own checkout with our Cards or Bancontact APIs. It is not allowed to send this so called PCI data unencrypted to our APIs. Therefor you need to download and implement our client-side encryption library.

On the page where the card details are entered, an additional JavaScript-file for client-side-encryption should be included. This script is hosted by us and provides an encryption function to encrypt the card details. The card details are placed inside a JSON message, which is then encrypted using a public key.

The library ensures that the details are encrypted on the device of the shopper and thus no plain details are visible on any intermediate system, when the credit card payment is started.

It is important to note that the library must not be cached on any system, as the used public key changes over time. Caching the library may result in failed payments, as the Payment System can no longer decrypt the data.

Getting Client-Side Encryption libraries

The CM.com Online Payments API allows you to get the client-side-encryption libraries required to encrypt the card details entered in the page that you present to your Consumers. You need to trigger a web call once to fetch the download URLs. The result gives you a URL on which we host your client-side encryption library. These URLs are publicly available and must be called each time a Card or Bancontact payment is created because of the changing public key.

Request

GET https://api.pay.cm.com/api/v1/paymentmethods/library/cse

Response

{
  "bancontact": {
    "cseUrl": "https://api.pay.cm.com/libraries/ps/cse/80117cdb-be80-425f-954d-9696102efa60",
    "upstream": "ps"
  },
  "creditcard": {
    "cseUrl": "https://api.pay.cm.com/libraries/ps/cse/80117cdb-be80-425f-954d-9696102efa60",
    "upstream": "ps"
  }
}

Optional parameters

Response codes

Using the Client-Side Encryption library to encrypt card details

This is an example of how you can use the Client-Side Encryption library to encrypt the card details on your own page:

<script src="http://api.pay.cm.com/libraries/ps/cse/80117cdb-be80-425f-954d-9696102efa60"></script>
<script>
    function updateMessage() {
        const cardHolderName = document.getElementById("card-holder-name").value;
        const cardNumber = document.getElementById("credit-card-number").value;
        const expiryMonth = document.getElementById("credit-card-expiry-date-month").value;
        const expiryYear = document.getElementById("credit-card-expiry-date-year").value;
        const securityCode = document.getElementById("credit-card-security-code").value;
        let encryptedCardDetails = cseEncrypt(cardHolderName, cardNumber, expiryMonth, expiryYear, securityCode);
        console.log(encryptedCardDetails);
    }
</script>