Follow this procedure to securely retrieve a PIN and present it to a cardholder as a CAPTCHA image. The actual value of the PIN is not exposed to you—only to the cardholder. For compliance reasons, you must not cache the image in any way on the device or browser, nor can you use a proxy server to retrieve the image for the device or browser.
The CAPTCHA image will resemble this example:
Using the PRSPRS - PIN Retrieval Service. A method by which cardholders can retrieve an image of their PIN while bypassing provider systems. consists of these steps:
- Galileo sets the PRSEN parameter for the product or program.
- Galileo configures a provider name for the
configparameter and gives it to you.
- You call the Get Access Token endpoint to retrieve a token for the card.
- With the token, the browser or mobile app makes an HTTP call to retrieve the CAPTCHA image of the PIN.
- The CAPTCHA image is presented to the cardholder.
These parameters are required for the Get Access Token call:
accountNo— Galileo recommends using the CAD (
card_id) or PANPAN - Primary account number. The 16-digit number that is printed on a card, beginning with the BIN. This number is not the same as the account identifier, which is the PRN, or the card identifier, which is the CAD., but the PRNPRN - Payment reference number (pmt_ref_no). The 12-digit Galileo-generated account identifier, which exists independently of the PAN or other identifiers. is valid as long as only one card has ever been associated with the account.
0to retrieve a card-related token.
The response will contain these fields:
token— A case-sensitive alphanumeric string, for example,
expires— The date/time the token expires, formatted as
The token has two properties: the expiration (default: 300 seconds) and the maximum times an access token can be used (default: 3). You can change the defaults in your product parameters, as shown in Galileo setup.
With the token, assemble an HTTP request to retrieve the CAPTCHA, as shown in the example. The URL is an AWS instance that Galileo sets up for each client. Request an AWS URL from Galileo if you do not already have one. These examples are for the CVCV - Client Validation. A test environment where you can test your implementation before moving it to Production. environment. For ProductionProduction - The live Galileo environment where real transactions are performed. change the
cv in the URL to
- token — The
tokenyou retrieved with the Get Access Token call
- config — Your provider name, as configured by Galileo
- clientname — Your Galileo system name
The asset application retrieves the CAPTCHA image in response to the HTTP call. If the image is not found, a standard HTTP 404 response is returned. For all other errors, such as an expired token, an HTTP 401 response is returned.
Embed the URL within a web or mobile app as an HTML image reference, offer the URL as a direct customer-exposed link, or use it in other appropriate contexts. The URL is an AWS instance that Galileo sets up for each client. Request an AWS URL from Galileo if you do not already have one. This example is for the CV environment. For Production change the
cv in the URL to
<image src="https://gds-[clientname].cv.gpsrv.com/asset/pin?token=[token]&config=[config]" alt="PIN Image" width="160" height="80" />
The width and height parameters are currently fixed at 160 and 80 pixels.
These internal parameters are set at Galileo, according to your use case.
|PRSEN||Program or product||Set to |
|TSECV||Program or product||Maximum seconds of access-token validity (default: 300).|
|TUSEC||Program or product||Maximum times an access token can be used (default: 3).|
Updated about 2 months ago