unified-payments
  1. Unified Payments
unified-payments
  • Unified Payments
    • Overview
    • Encryption
    • Authentication
    • Card (Non-3DS)
    • Card (3DS)
    • Apple Pay
  • Unified Payments API
    • Payments
      • Initiate Payment
      • List Payments
      • Get Payment
    • Refunds
      • Initiate Refund
      • List Refunds
      • Get Refund
  • Schemas
    • Schemas
      • SuccessResponse
    • ErrorResponse
    • PaymentRequest
    • PaymentResponse
    • WebhookPayload
  1. Unified Payments

Encryption

Payment Data Encryption#

How to encrypt sensitive payment data before sending to Nuvion's API.

Overview#

All sensitive payment data (card numbers, CVV, etc.) must be encrypted using RSA-OAEP with SHA-256 before being sent to the API.
Why encryption?
Protects card data in transit (even over HTTPS)
Prevents data from being logged or cached
Ensures only Nuvion can decrypt the sensitive data
PCI DSS compliance

Getting Your Public Key#

Contact Nuvion support to receive your RSA Public Key in PEM format:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
-----END PUBLIC KEY-----

Encryption Algorithm#

Algorithm: RSA-OAEP
Hash Function: SHA-256
Padding: OAEP (Optimal Asymmetric Encryption Padding)
Encoding: Base64

What to Encrypt#

Card Payments#

Encrypt the following card data as a JSON object:
{
  "card_number": "4111111111111111",
  "expiry_month": "12",
  "expiry_year": "2025",
  "cvv": "123",
  "cardholder_name": "John Doe"
}

Apple Pay Payments#

For Apple Pay, you send just the payment type - no encryption needed:
{
  "type": "apple_pay"
}
The Apple Pay token is obtained on Nuvion's hosted page, so you never handle it.

Implementation Examples#

Node.js (crypto)#

Python (cryptography)#

PHP (OpenSSL)#

Card Data Validation#

Before encrypting, validate the card data:

Card Number#

Remove all spaces and dashes
Must be 13-19 digits
Should pass Luhn check (checksum validation)

Expiry Date#

Month: 01-12 (two digits)
Year: YYYY format (e.g., 2025)
Must be in the future

CVV#

3 digits for most cards
4 digits for American Express

Cardholder Name#

Minimum 1 character
Only letters, spaces, hyphens, and apostrophes

Common Errors#

Decryption Failed#

{
  "status": "error",
  "message": "Failed to decrypt payment data",
  "code": "INVLDDATA"
}
Causes:
Using wrong public key (sandbox vs production)
Incorrect encryption algorithm (must be RSA-OAEP with SHA-256)
Malformed card data JSON
Base64 encoding error

Invalid Card Data#

{
  "status": "error",
  "message": "Invalid card number",
  "code": "VALIDATIONERR"
}
Causes:
Card number fails Luhn check
Expired card
Invalid CVV length
Missing required fields

Security Best Practices#

✅ DO#

Encrypt data immediately before sending
Use the correct public key for your environment
Validate card data before encrypting
Store the public key in environment variables
Use HTTPS for all requests

❌ DON'T#

Store unencrypted card data
Log card data (even before encryption)
Reuse encrypted data (encrypt fresh each time)
Share your public key publicly (it's tied to your account)
Use production keys in development

Testing Encryption#

You can test your encryption implementation using our simulation endpoint:
If encryption is correct, you'll get back the decrypted card data (sandbox only).

Environment-Specific Keys#

Always use the correct public key for your environment:
EnvironmentPublic Key
SandboxProvided by support (test key)
ProductionProvided by support (live key)
Never use production keys in development/testing!

Support#

If you're having encryption issues:
1.
Verify you're using the correct public key
2.
Check the encryption algorithm matches (RSA-OAEP + SHA-256)
3.
Ensure card data JSON is valid
4.
Test with the simulation endpoint (sandbox)
5.
Contact support@nuvion.com with error details (never send unencrypted card data)
Modified at 2025-11-10 16:33:01
Previous
Overview
Next
Authentication
Built with