Client encryption flow
Card details (PAN, CVV, PIN) are sensitive data that are strongly secured by RSA and AES encryption algorithms. To minimize risks of exposure, we take the stand to set up an end to end encrypted communication between the Client and Wise. It means that sensitive details are encrypted in transit and send directly to the client without any partner's backend involved.
We are using the JWE
standard to pass encrypted data. A JWE is composed of 5 parts that ensure the payload integrity and authentication checks. Each part is required and need to be base64 encoded.
Details to generate a valid JWE
:
- Our RSA key is using
RSAES-PKCS1-V1_5
encryption algorithm. - The AES key should be of length
256
and useAES-GCM
encryption algorithm. - The length of the Initialisation Vector should be of length
12
.
Please reach out to our team to get an implementation code example.
Sensitive card data decryption
- Fetch the
RSA key
from Wise's endpoint. - Generate an
AES key
directly in your client. - Use the
RSA Key
to encrypt yourAES key
. - Build an encrypted JSON (
JWE
) from step 3. - Send the payload to one of our sensitive card details endpoint
- The response is an
JWE
. Use your same key generated previously (step 2) to decipher the response.
Sensitive card data encryption
- Fetch the
RSA key
from Wise's endpoint. - Generate an
AES key
directly from your client. - Use the
AES key
to encrypt your sensitive data (PIN). - Use the
RSA Key
to encrypt yourAES key
. - Build an encrypted JSON (
JWE
). The payload part encapsulate the AES encrypted PIN (step 3) and the RSA encrypted AES key (step 4). - Send the payload to /POST set pin