The /credit_card API calls
The "credit card" object represents a user's credit card and can be used to tokenize credit cards. The following calls let you create, view, and modify "credit card" objects on WePay:
Older version?
You can view the older version 2014-01-08 here.
PCI Compliance
While WePay CC Tokenization API greatly reduces the scope of PCI Compliance and increases your security, you're still required to be compliant with the Payment Card Industry Data Security Standards (PCI-DSS) and the Payment Application Data Security Standards (PA-DSS) whenever applicable.
If you want to minimize the scope of your PCI compliance, we recommend that you use our iframe checkout. See the charge a customer tutorial.
Use of the CC Tokenization feature will require special approval from WePay. Please apply for approval on your application's dashboard.
Credit Card States
The "credit card" object has the following states and possible state transitions:
- new
- The credit card was just created by the application.
- authorized
- The credit card was authorized either with an immediate charge or the /credit_card/authorize call. You can use the credit_card_id to charge this card in the future.
- expired
- The credit card was created but you did not charge the card or call /credit_card/authorize within 30 minutes.
- deleted
- The credit card was deleted or there was a failed credit card authorization attempt.
- invalid
- You tried to charge the card but the response we received indicated that the card is completely invalid and can never be charged (ex, billing address check (AVS) failure).
/credit_card
This call allows you to lookup the details of the a credit card that you have tokenized.
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your application's dashboard. |
| client_secret | Yes | String (255 chars) | The secret for your API application. You can find it on your application's dashboard. |
| credit_card_id | Yes | Integer (64 bits) | The unique ID of the credit_card you want to look up. |
Example:
{
"client_id":12345,
"client_secret":"asbasf2341",
"credit_card_id":235810395803
}
Response:
| Response | Type | Description |
| credit_card_id | Integer (64 bits) | The unique ID of the credit_card. |
| credit_card_name | String (255 chars) | The string that identifies the credit_card such as MasterCard xxxxxx4769. |
| state | String (255 chars) | The state that the credit card is in. |
| user_name | String (255 chars) | The name on the card (ie "Bob Smith"). |
| String (255 chars) | The email address of the user who owns the card. | |
| create_time | Integer (64 bits) | The unixtime when the credit_card was created. |
| input_source | String (255 chars) | The input source of the credit card. Possible values are card_keyed, card_swiped, google_wallet and card_transfer. |
| virtual_terminal_mode | String (255 chars) | The virtual terminal mode of the credit card. Possible values are mobile, web and none. |
| reference_id | String (255 chars) | The unique reference ID of the credit_card. |
| expiration_month | Integer (32 bits) | The expiration month on the credit card. |
| expiration_year | Integer (32 bits) | The expiration year on the credit card. |
| last_four | String (4 chars) | The last four digits of the credit card number. |
Example:
{
"credit_card_id":235810395803,
"credit_card_name":"MasterCard xxxxxx4769",
"state":"new",
"user_name":"Bob Smith",
"email":"bob.smith@example.com",
"create_time":1367958263,
"input_source":"card_keyed",
"virtual_terminal_mode":"none",
"reference_id":"123abc",
"expiration_month": 4,
"expiration_year": 2020,
"last_four": "4769"
}
/credit_card/create
This call allows you to pass credit card information and receive back a credit_card_id. You will then be able to use that credit_card_id on the /checkout/create call to execute a payment immediately with that credit card (similar to how the preapproval_id on /checkout/create works). Note that you will need to call the /checkout/create call or the /credit_card/authorize call within 30 minutes or the credit card object will expire.
Note: If you pass an access_token on this call, the credit card will be added to the user associated with that access_token. If you want to do a guest payment (ie the payer is not registered on WePay), then do not pass an access_token.
Note: User contact information (especially e-mail) is key for risk analysis, so please make sure you provide the actual end-user contact information.
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your app dashboard. |
| cc_number | Yes | String (255 chars) | The number on the credit card. |
| cvv | Yes | Integer (32 bits) | The CVV (AKA card security code, CVV2, CVC etc) on the card. |
| expiration_month | Yes | Integer (32 bits) | The expiration month on the credit card. |
| expiration_year | Yes | Integer (32 bits) | The expiration year on the credit card. |
| user_name | Yes | String (255 chars) | The full name of the user that the card belongs to. |
| Yes | String (255 chars) | Valid email address of the user the card belongs to. If the e-mail belongs to the merchant, the API partner, or is invalid, the transaction may be canceled for risk reasons. | |
| address | Yes | Address Structure | The billing address on the card (a valid JSON object, not a JSON serialized string). |
| original_ip | No | String (16 chars) | The IP address of the user this card belongs to. This should be sent if you are not using WePay's Javascript library. |
| original_device | No | String (255 chars) | The user-agent (for web) or the IMEI (for mobile) of the user this card belongs to. This should be sent if you are not using WePay's Javascript library. |
| reference_id | No | String (255 chars) | The unique reference ID of the credit_card. |
| auto_update | No | Boolean |
Automatically update credit cards that have been stored with WePay. If a card is expired, or has been replaced (e.g. due to theft), it will automatically be updated based in information provided by card networks. Permission required - please contact your account manager. |
| callback_uri | No | String (2083 chars) | The uri that will receive IPNs for this credit card. You will receive an IPN whenever the card information is updated. |
Example:
{
"client_id":187493,
"user_name":"Bob Smith",
"email":"test@example.com",
"cc_number":"5496198584584769",
"cvv":"123",
"expiration_month":4,
"expiration_year":2020,
"address":
{
"address1":"test",
"city":"test",
"state":"CA",
"country":"US",
"zip":"94025"
}
}
Response:
| Response | Type | Description |
| credit_card_id | Integer (64 bits) | The unique ID of the credit_card. |
| state | String (255 chars) | The state that the credit card is in. |
Example:
{
"credit_card_id":235810395803,
"state":"new"
}
/credit_card/find
Search through tokenized credit cards.
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your app dashboard. |
| client_secret | Yes | String (255 chars) | The secret for your API application. You can find it on your app dashboard. |
| reference_id | No | String (255 chars) | The reference ID of the credit_card you want to find. |
| limit | No | Integer (64 bits) | The maximum number of results you want returned. Defaults to 50. |
| start | No | Integer (64 bits) | The start position for your search (default 0).. |
| sort_order | No | String (255 chars) | Sort the results of the search by time created. Use 'DESC' for most recent to least recent. Use 'ASC' for least recent to most recent. Defaults to 'DESC'. |
Example:
{
"client_id":12345,
"client_secret":"asbasf2341",
"reference_id":"abc123"
}
Response:
An array of credit_cards matching the search parameters. Each element of the array will include the same data as returned from the /credit_card call.
/credit_card/modify
Make modifications to existing tokenized credit card.
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your app dashboard. |
| client_secret | Yes | String (255 chars) | The secret for your API application. You can find it on your app dashboard. |
| credit_card_id | Yes | Integer (64 bits) | The unique ID of the credit_card you want to authorize. |
| auto_update | No | Boolean |
Automatically update credit cards that have been stored with WePay. If a card is expired, or has been replaced (e.g. due to theft), it will automatically be updated based on information provided by card networks. Permission required - please contact your account manager. |
| callback_uri | No | String (2083 chars) | The uri that will receive IPNs for this credit card. You will receive an IPN whenever the card information is updated. |
Example:
{
"client_id":12345,
"client_secret":"asbasf2341",
"credit_card_id":"1234567",
"auto_update": true,
"callback_uri": "http://www.example.com/ipn"
}
Response:
Same data as returned from the /credit_card call.
/credit_card/transfer
This call is similar to /credit_card/create. It is intended to be used server-server for the purpose of migrating credit card information to WePay. WePay automatically tests cards transferred to us via /credit_card/transfer by making a $0.00 authorization (in rare instances, the authorization amount may be $1.00 instead). All payment error codes (200X) are possible return values for /credit_card/transfer.
Permission Required
This call requires permission from WePay. Once given, it must only be used for the original purpose covered when permission was given.
- If migrating a batch of users, an end date is normally expected, after which permission for this call will be removed.
- It is not necessary to follow this call with /credit_card/authorize. The transferred cards will automatically be authorized if valid.
- Access tokens are not sent. Cards transferred are automatically available for use by any merchant on the platform (as identified by the client ID).
- The Risk API auto_billing rbit needs to be included
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your app dashboard. |
| client_secret | Yes | String (255 chars) | The secret for your API application. You can find it on your app dashboard. |
| cc_number | Yes | String (255 chars) | The number on the credit card. |
| expiration_month | Yes | Integer (32 bits) | The expiration month of the credit card. |
| expiration_year | Yes | Integer (32 bits) | The expiration year of the credit card. |
| user_name | Yes | String (255 chars) | The full name of the user the card belongs to. |
| Yes | String (255 chars) | The email address of the user the card belongs to. | |
| address | Yes | Address Structure | The billing address on the card (a valid JSON object, not a JSON serialized string). |
| reference_id | No | String (255 chars) | The unique reference ID of the credit_card. |
Response:
| Response | Type | Description |
| credit_card_id | Integer (64 bits) | The unique ID of the credit_card. |
| state | String (255 chars) | The state that the credit card is in. |
/credit_card/delete
Delete the credit card when you don't need it anymore. Note that you won't be able to use this card to make payments any more.
Arguments:
| Parameter | Required | Type | Description |
| client_id | Yes | Integer (64 bits) | The ID for your API application. You can find it on your app dashboard. |
| client_secret | Yes | String (255 chars) | The secret for your API application. You can find it on your app dashboard. |
| credit_card_id | Yes | Integer (64 bits) | The unique ID of the credit_card you want to delete. |
Example:
{
"client_id":12345,
"client_secret":"asbasf2341",
"credit_card_id":235810395803
}
Response:
| Response | Type | Description |
| credit_card_id | Integer (64 bits) | The unique ID of the credit_card. |
| state | String (255 chars) | The state that the credit card is in. |
Example:
{
"credit_card_id":235810395803,
"state":"deleted"
}