The CardGuard service secures credit and debit card transactions for eCommerce environments by encrypting card data in compliance with industry standards like PCI-DSS. It minimizes the risk of data breaches and empowers businesses to confidently process transactions while maintaining customer trust.

Authentication

You need a valid encryption key to authenticate your API requests.

Email the CardGuard team at [email protected] to request a key. Support delivers your encryption key through LastPass. If you prefer a different delivery method, our support team can work with you to accommodate a secure alternative.

<aside> <img src="/icons/info-alternate_gray.svg" alt="/icons/info-alternate_gray.svg" width="40px" />

Rotate keys every 90 days or upon suspected compromise. Implement a rolling key rotation schedule to prevent service disruption.

You can rotate your encryption key using the /rotate-key endpoint.

LastPass maintains an inventory of all keys, documenting their generation, rotation, expiration, and revocation dates.

</aside>

Workflow

Developers can implement card encryption into their applications following this workflow:

  1. **Validate encryption key.** Before interacting with the CardGuard API, verify that your encryption key is valid and not expired. This API checks your key and returns a session token for valid keys.
  2. **Encrypt card data.** After validating the encryption key, you can encrypt the card data. This call takes the sensitive information and returns the encrypted version used for processing.
  3. **Log encryption activity.** For each action, log the activity for auditing and compliance purposes. This call creates a record of who performed the encryption and when it occurred.
  4. Send data to payment processor. Interact with the payment processor using your encrypted data.

<aside> <img src="/icons/info-alternate_gray.svg" alt="/icons/info-alternate_gray.svg" width="40px" />

Payment processors need a decryption key.

</aside>

  1. **Decrypt card data (optional).** Only decrypt data when it’s compliant and necessary.
  2. **Retrieve encryption logs (optional). R**etrieve logs for auditing or monitoring purposes.

APIs

The CardGuard service uses REST. Our API has predictable resource-oriented URLs, accepts JSON-encoded request bodies, returns JSON-encoded responses.

Always include the Content-Type header in your API requests, using Content-Type: application/json. Include session_token in the header for all authenticated calls.

Encryption Keys

Use a valid encryption key to interact with the CardGuard service and rotate keys as needed.

POST /api/v1/validate-key validates encryption key