PCI widget

PCI DSS compliance details

nCore is certified for Payment Card Industry Data Security Standards (PCI DSS) as a Level 1 Service Provider. PCI compliance is a shared responsibility between both NymCard and your business. When processing, storing and forwarding payments transactions, it is essential that you do so in a PCI compliant procedure. The complexity of this depends upon your integration methods.

However, the easiest way to remain PCI compliant is never to access or read your customers' card data. To make this simple for you, we have some significant integration advices below.

  • Use Transport Layer Security TLS for all payment pages, i.e. HTTPS

  • Always stay compliant. Review and validate your PCI compliance once a year

  • If you are non-PCI compliant, use our PCI widget that enables you to show sensitive card data without ever handling it.

PCI widget

Companies that store, process, or transmit sensitive card data* must comply with the Payment Card Industry Data Security Standard (PCI DSS). Achieving PCI DSS certification is both tedious and costly. If you want to handle sensitive card data, you will be required to comply with PCI DSS security requirements and obtain relevant PCI DSS certification. This can be a challenging task specially for small businesses.

To help you in reducing the scope and burden of PCI compliance, the nCore performs all the handling of sensitive data so that the sensitive data is never stored, processed and broadcasted through your systems or applications. nCore offers widgets which you can embed in your frontend applications (mobile and web applications) that will handle the sensitive data and get the required functionality executed without exposing sensitive data to your systems.

*What is sensitive card data?

Sensitive card data includes:

  • Primary account number (PAN)

  • Card verification value (CVV2)

  • Primary Identification Number (PIN)

PCI widget usage

Using the PCI widget, you can perform the following actions:

  • Show clear card details

  • Get PIN

  • Change PIN

Below you can find an instruction on how to do it:

1.Perform Create LUT API. LUT is a limited usage token, which has a timeout of 5 minutes before getting used. Each LUT is for one time use. For creating LUT you need fill the following parameters:

  • ‘id’ - ID of the card or proxy number, which info you want to encrypt

  • ‘source_id’ - put "default_pci_source" here

  • ‘operation’ - put "SHOW_CLEAR_CARD_DETAILS" or "GET_PIN" " or "CHANGE_PIN", depending on the action you want to fulfill

Below there is an example of request for showing a card details:

POST /cards/{id}:createLut


"source_id": "default_pci_source",



Response sample


"token": "fMQaLj+HpuCnm9hssEd9qlfFHiitpnxfq+yTHZppiSStXcqwkD/PxFKTJgvSPi/Y"


2. Encode LUT token together with ‘card_id’ value or proxy number and ‘source_id’="default_pci_source" using Base64 encryption format.

Note, that ‘source_id’="default_pci_source" only for sandbox and staging environments. For production environment, please ask for the 'source_id' from the customer success team.

Below you can find an example of data which should be encoded:


Note, that for testing purposes you can also encode 'api_key' together with above mentioned parameters.

3. Take the following URL and add base64 encrypted token to it. Below you can see an example:


Note, that part of this URL depends on the operation, which you have chosen:

  • reveal-card-details

  • get-card-pin

  • change-card-pin

4. Put this URL in a web browser or inside the mobile application. In case of mobile application, you should also embed the following code:

<iframe id="myframe" class="responsive-iframe" [src]="urlSafe" allowtransparency = "true"></iframe>

Where ‘urlSafe’ is the same as in step 3:


5. PCI widget will be loaded and you will see info, depending on the operation you have chosen:

  • clear card details

  • PIN itself

  • “Change PIN” window

Note that Get PIN/change PIN functionality is applicable only for physical cards. Also PIN length should be aligned with 'pin_length' parameter, which is set on card product level.

For any additional information, please contact NymCard representatives at customer_success@nymcard.com.

Last updated