Documentation

Transaction Processing

Suggest Edits

Paze Transaction Data is encrypted signed payload. When decrypted, this JWE object will contain a 16-digit network token, as well as the appropriate cryptogram. Other data returned to the Merchant is to be used largely for other purposes (e.g., order management, customer service).

In most cases, maintaining keys for the JWE and decrypting the JWE payload is performed by a Payment Service Provider (PSP) acting on behalf of a Merchant. A Merchant may directly maintain keys and decrypt the JWE, but using a PSP allows merchants to delegate payment card industry (PCI) compliance to them entirely. If a Merchant is using a third-party, such as a Distributor or Technical Integrator, this process may also vary.

Payload Signature and Encryption

Paze supports signed and encrypted payloads between Merchant and Paze platform. The payload encryption will be supported through the use of JWE (RFC 7516) and JWS transmitted using compact JSON serialization.

Paze supports the following algorithms:

  • Key Encryption Algorithm: RSA-OAEP-256
  • Encryption Algorithm: A256GCM
  • Signature Algorithm: RS256

Paze tokens will evaluate and add support for newer algorithms as they become available.

Web Signature Summary

A JWS represents signed content using JSON data structures and Base64Url encoding. It consists of:

  • JOSE Header – Protected Header
  • JWS Payload
  • JWS Signature

Each component is Base64Url encoded and concatenated with periods (.). For example:

BASE64URL(UTF8(JOSE Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature)

Signature Validation and Decryption Steps

Once a Merchant receives the securedPayload that is encrypted and signed as indicated by the content-type set to “application/jwt” or “‘application/jose,” (format: JWS(JWE<JWS<Payload>>)). The Merchant (or PSP) will decrypt and validate the payload in the following manner:

  1. Merchant, Distributor, or Technical Integrator shall validate the signature (Paze signed public key), and JOSE Header, if valid decode CLAIM and extract securePayload.
  2. If valid decrypt the securePayload using their private key.
  3. Merchant, Distributor, or Technical Integrator to extract the payload from CLAIM.
  4. Merchant, Distributor, or Technical Integrator shall validate the signature (Paze signed public key), and JOSE Header, if valid decode the payload
  5. Merchant, Distributor, or Technical Integrator to send the payment instrument and mapping data for payment processing.

Key and Certificate Exchange

As part of onboarding; Merchant will provide a self-signed RSA Certificate with 2048 bits and SHA256 and share its public key in PEM format below or through one of the options listed below. This certificate will be used to validate the signature and decrypt the encrypted payload returned by the:

  • Merchant JavaScript Software Development Kit (SDK)
  • Paze Mobile API Technical Requirements, and the
  • Merchant B2B API

Hint: OpenSSL can be leveraged to create a self-signed certificate.

Share the signed certificate public key via one of the options:

  • Option 1: Share the public key (.pem) format file via secure email to your Paze Implementation Manager
  • Option 2: Share the well-known URL with key
  • Option 3: Share within the Merchant Setup Form.
  • Option 4: Select from an existing key from your Distributor or Technical Integrator.


Updated 23 days ago