Client encryption flow

Card details (PAN, CVV, PIN) are sensitive data that are strongly secured by RSA and AES encryption algorithms. To minimize risks of exposure, we take the stand to set up an end to end encrypted communication between the Client and Wise. It means that sensitive details are encrypted in transit and send directly to the client without any partner's backend involved.

We are using the JWE standard to pass encrypted data. A JWE is composed of 5 parts that ensure the payload integrity and authentication checks. Each part is required and need to be base64 encoded.

Details to generate a valid JWE:

  • Our RSA key is using RSAES-PKCS1-V1_5 encryption algorithm.
  • The AES key should be of length 256 and use AES-GCM encryption algorithm.
  • The length of the Initialisation Vector should be of length 12.

Please reach out to our team to get an implementation code example.

Sensitive card data decryption

  1. Fetch the RSA key from Wise's endpoint.
  2. Generate an AES key directly in your client.
  3. Use the RSA Key to encrypt your AES key.
  4. Build an encrypted JSON (JWE) from step 3.
  5. Send the payload to one of our sensitive card details endpoint
  6. The response is an JWE. Use your same key generated previously (step 2) to decipher the response.

Sensitive card details decryption

Sensitive card data encryption

  1. Fetch the RSA key from Wise's endpoint.
  2. Generate an AES key directly from your client.
  3. Use the AES key to encrypt your sensitive data (PIN).
  4. Use the RSA Key to encrypt your AES key.
  5. Build an encrypted JSON (JWE). The payload part encapsulate the AES encrypted PIN (step 3) and the RSA encrypted AES key (step 4).
  6. Send the payload to /POST set pin

Sensitive card details encryption