Enabling Message-Level Encryption

This feature is in the pilot phase. To use Message-Level Encryption, please contact your sales representative.
Message-Level Encryption (MLE) enables you to store information or communicate with other parties while helping to prevent uninvolved parties from understanding the stored information. MLE is optional and supported only for payments services.
MLE provides enhanced security for message payload by using an asymmetric encryption technique (public-key cryptography). The message encryption is implemented with symmetric encryption using Advanced Encryption Standard (AES), Galois Counter Mode (GCM) with 256-bit key size. The encryption of keys is supported using RSA Optimal Asymmetric Encryption Padding (OAEP) with 2048-bit key size. The encryption service is based on JSON Web Encryption (JWE), works on top of SSL and requires separate key-pairs for request and response legs of the transaction.
MLE is required for APIs that primarily deal with sensitive transaction data, both financial and non-financial. These are the types of sensitive transaction data:
  • Personal identification information (PII)
  • Personal account number (PAN)
  • Personal account information (PAI)
Each of these authentication schemes uses an encrypted payload, called the
. A JWE token has these five components, with each component separated by a period (.):
  • JOSE header containing four elements:
    "alg": "RSA-OAEP-256", //The algorithm used to encrypt the CEK "enc": "A256GCM", //The algorithm used to encrypt the message "iat": "1702493653" //The current timestamp in milliseconds "kid": "keyId" //The serial number of shared public cert for encryption of CEK
  • JWE encrypted key
  • JWE initialization vector
  • JWE additional authentication data (AAD)
  • JWE ciphertext and authentication tag