Download OpenAPI specification:Download
Card Link is the concept of resolving a payment method to a non-sensitive 3rd party id.
Card Link may be used in multiple use-cases, for example
The basic idea in Card Link is that when the card is used, the payment terminal returns a card token or PAR value, which can then be used
to look up a previously defined id for that card.
The id (userId
) is set at enrolment of the payment card, and could be e.g. a loyalty member id or any other desired reference.
UserId for a card cannot be updated at a later date.
Provides Card Link lookups using the card token and card manipulation such as enrolment via cardframe, list, delete, etc. via Storebox Card API.
Extending Basic Card Link functionality via terminals running Viking and OnePA. This allows in-store card enrolment and card lookups through Baxi commands.
Via a dedicated PCI compliant API cards can be enrolled programmatically. Please note that adding cards programmatically carries extensive security requirements and may even require PCI-DSS certification on integrator side.
All data exchange is in JSON and is UTF-8 encoded. To ensure forward compatibility, client implementations must be resilient to new elements being added to the API responses in the future.
The API has the following rate limiting to ensure performant operation:
Operation | Limit |
---|---|
Add card | 1 per second |
List/delete card | 10 per second |
Lookup card | 1000 per second |
If higher rates are required, Storebox must be contacted in advance to avoid automatic blacklisting.
The table below describes the two environments that are available.
Environment | Description |
---|---|
Test | All development should be done using this environment. The implementation is end-to-end testable using test equipment, for example test terminals. Note that this environment also acts as internal test environment, so there may be short outages. |
Production | Live environment that works with production terminal |
To start using Card Link you must first get an API key from Storebox.
Handling of card life-cycle management like, add, delete and list is done through Card API. After a card has been added it is available for card link lookups thus it is strongly recommended to implement card manipulation, or at least adding, before card lookup.
Interaction with Card API is server to server. For card enrolment, the generated CardFrame URL is supplied to the client.
Cards enrolled via Card API CardFrame are based on user interaction and are immediately active.
Cards enrolled as part of Terminal Card Link (in-store via terminal) must be activated in order to become available for lookups.
Card lookup is typically done by the ECR before a transaction, so that e.g. the amount can be adjusted according to a discount level or likewise. The lookup may, of course, be done at any favorable point in the payment process.
Using Basic Card Link the ECR fetches the card token from the terminal and calls Card Link lookup.
The result will either be a 404 Not Found
if the card is unknown, otherwise the user id and a card id is returned.
Term | Description |
---|---|
Token | A token is a non-sensitive representation of the payment card, and cannot be used for payment nor any other actions with fiscal impact. The value may change at random for the same payment card. Tokens are not standard and thus implementation highly depends on the terminal Payment Application (PA). |
cardRef | A token as described above. Available via Viking and OnePA. |
Funding PAN (FPAN) | The card number on the physical payment card |
Token PAN (TPAN) | A virtual card number that is issued when a payment card is added to a wallet like Apple Pay or Google Pay. A TPAN is issued per device. |
PAR | Payment Account Reference (PAR) is a standard specified by EMVCo which is static value for cross referencing the FPAN and any derived TPANs. One can think of a PAR value as a shared token across the physical and any virtual cards derived hereof. |
Card lookup is handled via a high availability, high performance card lookup endpoint.
Card manipulation is handled via Storebox Card API
Check if a card is known and which id is registered on card.
token required | string Token or PAR referencing the user's card. Please make sure to URL encode the token/PAR. |
[- {
- "userId": "d17458f2-4764-4096-867b-06f6f47a6941",
- "externalCardId": "cf840424bf2f403582384a810247aaf4"
}
]
The addition of the 'Terminal Card Link' package enables the use of Viking and OnePA terminals as clients for card lookup and card enrolment.
The methods described herein are not available via Storebox Card Link API, but solely via Baxi. The inclusion in this documentation serves to provide basic examples of the responses that may be expected in the "payload" object of the response when using Baxi functions to facilitate Storebox Card Link operations.
Baxi uses its own error codes, error messages and has its own possible failures in Baxi context.
Check if a card is known and which userId is registered on a known card using the terminal operation getAsset
.
Lookup happens towards Storebox Card Link API from the terminal instead of via integration to Storebox CardLink API.
Baxi structure is defined by Nets. Currently the response from Storebox is contained as payload
under da.dam2ra.getasset.asset.attributes
.
Card Link API responses are contained within the cardlinkapi
object under the root object payload
from Storebox' systems.
Besides structural differences, the response via getAsset is the same as Card Lookup in Basic Card Link.
Example of succesful card lookup response via Baxi
{
"payload": {
"cardlinkapi": {
"users": [
{
"userId": "511618771",
"externalCardId": "ha0u3xb395c4lps1hbfajrdbotq3f4h7"
},
{
"userId": "797745330",
"externalCardId": "x83is6m0uf3c55icykcihhraizfsnaj3"
}
]
}
}
}
Available via the Baxi insertAsset
operation and delivers the card to Storebox in a 'pending verification' state. Card awaits activation call.
Example of succesful card enrolment response via Baxi
{
"payload": {
"id": "800unxobgxyrguqqv11ankz0vsuy2p5w",
"posapi": {
"userId": [
{
"type": "pan",
"value": "f37388e0-0a1f-11eb-b596-5c4242535400"
}
]
},
"cardlinkapi": {
"activationCode": "969fc04a-d102-4c2e-b04f-808d0b9ea5d6"
}
}
}
Status codes and messages are Baxi specific. Documentation must be provided by Nets.
For complete documentation of getAsset
and insertAsset
in a Baxi context, please refer to NETS documentation.
For a quick'n'dirty flow introduction you may consult our getting started guide to Viking, but please note that it is NOT usable as direct copy/paste reference as Baxi action codes etc. may have changed and thus Nets Baxi documentation must be consulted.
!! Card API !!
Return all pending cards registered to the caller. The result is pageable and sortable.
page | integer <int32> Pagenumber to return. The page index is zero-based. Defaults to 0 (zero) |
size | integer <int32> Elements returned per page. Defaults to 100. |
sort | string^(activationCode|created),(asc|desc)$ Sort the returned content. Defaults to 'sort=created,desc'. Sort can have any of the values: activationCode, created. In addition to defining the field to sort in, the sort direction is also defined in this field by either asc or desc Example: '...&sort=activationCode,asc&...' |
{- "content": [
- {
- "provider": "storebox",
- "activationCode": "b84aba71-b364-4297-ac4c-a52817ec613a",
- "parameters": "storeid=store_141",
- "entryExpires": "2014-05-14T15:22:11Z",
- "created": "2014-05-14T15:22:11Z"
}
], - "totalElements": 1000,
- "totalPages": 10,
- "first": true,
- "last": false,
- "numberOfElements": 100,
- "page": 0
}
!! Card API !!
Verify existence of a specific activationCode before calling activate card, or before creating user profile in external system. This is not strictly necessary, but may help communicate what is going to happen to the end user.
The endpoint will return 404
if the activation code is not found, which may be the case if it is expired or already used.
activationCode required | string Example: b84aba71-b364-4297-ac4c-a52817ec613a Check existence of an activationCode |
!! Card API !!
Finalizes enrolment of a card where the enrolment was started from a terminal.
There are several cases, where the request may fail.
activationCode
might not exist. This may happen if it was already used or it has expired (default TTL is 30 days).activationCode required | string Example: b84aba71-b364-4297-ac4c-a52817ec613a Activate the pending card |
userId required | string The userId provided when the card was registered |
{- "userId": "d17458f2-4764-4096-867b-06f6f47a6941"
}