# JPMC-PDP Documentation from https://developer.payments.jpmorgan.com # Encryption Page encryption is an effective method of reducing Payment Card Industry (PCI) scope by protecting sensitive information, which can then safely pass through your application and in payment authorization requests. For security reasons, do not store encrypted data. Only use encrypted data to process transactions in real time. Authorization responses containing transaction reference IDs or tokens may be stored on your application for future transactions or servicing. ## How page encryption works To secure cardholder payment data entered by a registered or guest shopper, page encryption secures the sensitive data within the browser session. The HTML code of your payment page must include the following JavaScript (JS) files: - getkey.js — Retrieves a one-time dynamic key that is used for encryption. - Test environment URL: https://safetechpageencryptionvar.chasepaymentech.com/pie/v1/YYYYYYYYYYYY/getkey.js - Production environment URL: https://safetechpageencryption.chasepaymentech.com/pie/v1/YYYYYYYYYYYY/getkey.js - encryption.js — Uses the key to encrypt card information as it is entered. - Test environment URL: https://safetechpageencryptionvar.chasepaymentech.com/pie/v1/encryption.js - Production environment URL: https://safetechpageencryption.chasepaymentech.com/pie/v1/encryption.js You must replace `YYYYYYYYYYYY` with the ID you recieve from your J.P. Morgan implementation manager. > The test and production URLs are similar. Confirm the correct URL is in place, especially when testing or switching environments. > ## Implement page encryption Complete the following steps to implement the page encryption service: **Step 1**: Add **getkey.js** to the HTML code of the payment page. Your ID is provided by an implementation manager after page encryption is enabled for your account. This value must be used in the encryption/decryption request. **Step 2**: Add **encryption.js** to the HTML code of the payment page. This action encrypts the account number and card verification value (CVV). The embedded JS provides the following two features: - ValidatePANChecksum — Performs a MOD 10 checksum on the account number entered. Major card types include a checksum as the last digit to ensure correct entry of the account number. The function returns true if the checksum is valid. It is good practice to validate the checksum to avoid unnecessary API calls. - ProtectPANandCVV — Performs the encryption on the specified account number value and card security value. Submit three parameters: credit card, CVV (optional), and embed flag. Note: Set the boolean parameter embed to false. This routine returns an array of three values. NULL is returned if an error occurs during encryption. ```javascript var result = ProtectPANandCVV(ccno, cvv, false); if(result != null) { document.getElementById("cryptCard").value = result[0]; document.getElementById("cryptCvv").value = result[1]; if (result.length > 2) { document.getElementById("integrityCheckVal").value = result[2]; } else { alert("Error: ProtectPANandCVV call returned null. You may have entered an invalid card number."); } } ``` The following sample HTML contains **getkey.js** and **encryption.js**: ``` PIE Encryption | Payments

Page Encryption Example

PCI Information

Encrypted card details... (Hidden from END User)

``` **Step 3**: Send a transaction with encrypted card data by mapping the following encrypted variables to your transaction request: **Encrypted variables for a Payments API request** | Result | Description | Payments API | | --- | --- | --- | | 0 | Encrypted card number | paymentMethodType.card.accountNumber | | 1 | Encrypted CVV | paymentMethodType.card.cvv | | 2 | Integrity check value | paymentMethodType.card.encryptionIntegrityCheck | For encrypted card data within the payment request payload, refer to the following example: **HTTP Method:** `POST` **Endpoint:** `/payments` ```json { "paymentMethodType": { "card": { "accountNumberType": "SAFETECH_PAGE_ENCRYPTION", "accountNumber": "401200jpLWkYXHd1112", "expiry": { "month": 5, "year": 2025 }, "cvv": "5D4C3B", "encryptionIntegrityCheck": "ABCDFKEJGJTHFHG" } } } ``` Here is an example of card data in the payment response: ```json { "paymentMethodType": { "card": { "maskedAccountNumber": "401200XXXXXX1112", "paymentTokens": [ { "tokenProvider": "SAFETECH", "tokenNumber": "4012000803101112", "responseStatus": "SUCCESS" } ] } } } ``` ## Format preserving encryption (FPE) FPE allows you to encrypt your account number while maintaining the same length as the non-encrypted account number. A few things to keep in mind: - The account number must be entirely numeric. - This is only supported for Orbital clients who are transitioning to Commerce platform encryption. The following table shows the required fields for FPE: **Required fields for FPE** | Field name in Payments API | Description | | --- | --- | | pieSubscriberId | A unique identifier used by services that provide Safetech Page Encryption to identify the merchant performing the transaction. | | pieKeyId | Identifier for the key that corresponds to the encryption key used for Safetech page encryption. | | piePhaseId | Identifier to denote the stage or point of the encryption process used for Safetech page encryption. | The following is a sample payment request payload using FPE: **HTTP Method:** `POST` **Endpoint:** `/payments` ```json {... "paymentMethodType": { "card": { "accountNumberType": "SAFETECH_PAGE_ENCRYPTION", "accountNumber": "4319026596739876", "expiry": { "month": 5, "year": 2025 }, "cvv": "5D4C38", "encryptionIntegrityCheck": "ABCDFKEJGJTHFGH", "pieSubscriberId": "750000000040", "pieKeyId": "6752b34a", "piePhaseId": "1" } } } } ``` ### Embedded format preserving encryption (eFPE) eFPE allows you to encrypt your account number as a 19 byte alphanumeric, due to the `pieKeyId` and `piePhaseId` being embedded within it. ## Related [Safetech tokenization](/docs/commerce/online-payments/capabilities/online-payments/payment-enhancements/tokenization#safetech-tokenization)