Security
For the communication, mTLS is used. For incoming TLS connections the following TLS versions and cipher suites are accepted:
| TLS version | Cipher Suite |
|---|---|
| 1.3 | TLS_AES_256_GCM_SHA384 |
Authentication
The issuer is authenticated by their client certificate and only has access to their data.
Separate certificates are required for the test and production environments.
Client certificates used by the API consumer
The issuer must obtain the certificates themselves and then forward the entire certificate chain to SIX Client Delivery. The issuer ensures that the certificates are renewed in time and that SIX Client Delivery is informed about the date of a certificate replacement one month in advance.
To guarantee a high level of security, the certificates must meet at least the following requirements:
- Validity of the user certificates: not expired, still valid for nine months for new registrations
- Validity of the root certificates: not expired, still valid for five years with new registration
- Standard: X.509 V3
- Signature algorithm: RSA-SHA-256 or better, ECDSA-SHA256 or better
- Key length: min. 2048 Bit
- Key Usage: Client Authentication
Authorization
Authorization concept
API license modules determine to which specific endpoints a client is authorized to make requests. The license modules represent separate and independent use cases, except for the "Merchant logo" module, which requires the "Transaction list" module. To add or remove license modules, please get in touch with SIX Client Delivery.
If a request is made to an endpoint without previously enabling the corresponding license module, it will be declined with HTTP status code 403 and the application error code 4402 (ENDPOINT_NOT_ENTITLED). Also note that no license module is required to make healthcheck requests.
API license modules
| API License module | Entitled endpoints |
|---|---|
| Card lifecycle | POST /cards/details POST /cards PUT /cards/status |
| Card token | POST /cards/card-token |
| PIN management | POST /cards/start-set-pin POST /cards/set-pin POST /cards/pin |
| Sensitive card data | POST /cards/credentials |
| 3DS lifecycle | POST /cards/3ds PUT /cards/3ds POST /cards/3ds/delete |
| 3DS details | POST /cards/3ds/details |
| OTRC order | POST /cards/otrc |
| Provisioning wallet encryption | POST /cards/encrypt-card-data POST /cards/generate-authorization-code |
| Provisioning C2P encryption | POST /cards/encrypt-card-data/click-to-pay POST /cards/generate-authorization-code POST /cards/click-to-pay/status |
| Token lifecycle management | GET /digitalcards/{dpan} POST /digitalcards/search PUT /digitalcards/status PUT /digitalcards/{dpan}/status |
| Transaction list | POST /transactions/search POST /digitalcards /{dpan}/transactions POST /presentments/search |
| Merchant logo (requires Transaction list) | GET /merchants/{merchantId}/logo |