Documentation

Transaction Processing

Suggest Edits

PazeSM Transaction Data is delivered as an encrypted, signed payload. When decrypted, this JWE object contains a 16-digit network token and the appropriate cryptogram. Other data returned to the Merchant is intended for order management and customer service.

Typically, the decryption of the JWE payload and key management is performed by a Payment Service Provider (PSP) acting on behalf of a Merchant. A Merchant may handle decryption directly, but using a PSP allows them to fully delegate PCI compliance.

Payload Signature and Encryption

Paze supports signed and encrypted payloads between the Merchant and the Paze platform. Payload encryption is supported through JWE (RFC 7516) and JWS using compact JSON serialization. The supported algorithms are:

  • Key Encryption Algorithm: RSA-OAEP-256
  • Encryption Algorithm: A256GCM
  • Signature Algorithm: RS256

Paze will evaluate and add support for newer algorithms as they become available.

Web Signature Summary

A JWS represents signed content using JSON data structures and Base64Url encoding. It consists of:

  • JOSE Header – Protected Header
  • JWS Payload
  • JWS Signature

Each component is Base64Url encoded and concatenated with periods (.). For example:

BASE64URL(UTF8(JOSE Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature)

Figure 9. Web Signature Example

Signature Validation and Decryption Steps

Once a Merchant receives the securedPayload (with a content-type of “application/jwt” or “application/jose” in the format: JWS(JWE<JWS<Payload>>)), the Merchant (or PSP) will:

  1. Validate the signature (using the PazeSM signed public key) and decode the JOSE Header. If valid, decode the claim and extract the securedPayload.
  2. Decrypt the securedPayload using their private key.
  3. Extract the payload from the claim.
  4. Validate the signature (using the PazeSM signed public key) on the payload and decode it.
  5. Send the payment instrument and mapping data for payment processing.

Key and Certificate Exchange

As part of onboarding, the Merchant will provide a self-signed RSA Certificate (2048 bits, SHA256) and share its public key in PEM format. This certificate is used to validate signatures and decrypt the encrypted payload from the Merchant JavaScript SDK and Merchant B2B API.

Hint: You can use OpenSSL to create a self-signed certificate. Share the public key via one of the following:

  • Option 1: Share the public key (.pem) file via secure email to [email protected]
  • Option 2: Share the well-known URL containing the key.
  • Option 3: Include the public key within the Merchant Setup Form.


Updated 19 days ago