Skip to main content

Security

For the communication, mTLS is used. For incoming TLS connections the following TLS versions and cipher suites are accepted:

TLS versionCipher Suite
1.3TLS_AES_256_GCM_SHA384

Authentication

The issuer is authenticated by their client certificate and only has access to their data.

Separate certificates are required for the test and production environments.

Client certificates used by the API consumer

The issuer must obtain the certificates themselves and then forward the entire certificate chain to SIX Client Delivery. The issuer ensures that the certificates are renewed in time and that SIX Client Delivery is informed about the date of a certificate replacement one month in advance.

To guarantee a high level of security, the certificates must meet at least the following requirements:

  • Validity of the user certificates: not expired, still valid for nine months for new registrations
  • Validity of the root certificates: not expired, still valid for five years with new registration
  • Standard: X.509 V3
  • Signature algorithm: RSA-SHA-256 or better, ECDSA-SHA256 or better
  • Key length: min. 2048 Bit
  • Key Usage: Client Authentication

Authorization

Authorization concept

API license modules determine to which specific endpoints a client is authorized to make requests. The license modules represent separate and independent use cases, except for the "Merchant logo" module, which requires the "Transaction list" module. To add or remove license modules, please get in touch with SIX Client Delivery.

If a request is made to an endpoint without previously enabling the corresponding license module, it will be declined with HTTP status code 403 and the application error code 4402 (ENDPOINT_NOT_ENTITLED). Also note that no license module is required to make healthcheck requests.

API license modules

API License moduleEntitled endpoints
Card lifecyclePOST /cards/details
POST /cards
PUT /cards/status
PIN managementPOST /cards/start-set-pin
POST /cards/set-pin
Sensitive card dataPOST /cards/credentials
3DS lifecyclePOST /cards/3ds
PUT /cards/3ds
POST /cards/3ds/delete
OTRC orderPOST /cards/otrc
Provisioning wallet encryptionPOST /cards/encrypt-card-data
POST /cards/generate-authorization-code
Provisioning C2P encryptionPOST /cards/encrypt-card-data/click-to-pay
POST /cards/generate-authorization-code
POST /cards/click-to-pay/status
Token lifecycle managementGET /digitalcards/{dpan}
POST /digitalcards/search
PUT /digitalcards/status
PUT /digitalcards/{dpan}/status
Transaction listPOST /transactions/search
POST /digitalcards /{dpan}/transactions
POST /presentments/search
Merchant logo (requires Transaction list)GET /merchants/{merchantId}/logo