On This Page
REST API
Enabling Message-Level Encryption
IMPORTANT
This feature is in the pilot phase. To use Message-Level Encryption, please contact your sales representative.
Message-Level Encryption (MLE) enables you to store information or communicate with other
parties while helping to prevent uninvolved parties from understanding the stored
information. MLE is optional and supported only for payments services.
MLE provides enhanced security for message payload by using an asymmetric encryption
technique (public-key cryptography). The message encryption is implemented with
symmetric encryption using Advanced Encryption Standard (AES), Galois Counter Mode (GCM)
with 256-bit key size. The encryption of keys is supported using RSA Optimal Asymmetric
Encryption Padding (OAEP) with 2048-bit key size. The encryption service is based on
JSON Web Encryption (JWE), works on top of SSL and requires separate key-pairs for
request and response legs of the transaction.
MLE is required for APIs that primarily deal with sensitive transaction data, both
financial and non-financial. These are the types of sensitive transaction data:
- Personal identification information (PII)
- Personal account number (PAN)
- Personal account information (PAI)
MLE is supported for two authentication schemes:
Each of these authentication schemes uses an encrypted payload, called the
JWE
. A
JWE token has these five components, with each component separated by a period (.): - JOSE header containing four elements:"alg": "RSA-OAEP-256", //The algorithm used to encrypt the CEK "enc": "A256GCM", //The algorithm used to encrypt the message "iat": "1702493653" //The current timestamp in milliseconds "kid": "keyId" //The serial number of shared public cert for encryption of CEK
- JWE encrypted key
- JWE initialization vector
- JWE additional authentication data (AAD)
- JWE ciphertext and authentication tag