Card Collection

Client

Backend

You can collect card information in a few ways with Evervault, but our prebuilt UI components are the most common. Cardholder data that's encrypted with Evervault can be safely stored in your database and then shared with third-party payment processors using Relay. This guide walks you through the entire process using our Card component for collection.

1{
2  card: {
3    number: "",
4    cvc: "",
5    expiry: {
6      month: "",
7      year: ""
8    }
9  }
10}

The Card component

The Card component is a secure iframe, hosted by Evervault, that you embed in your product to collect card data. When customers input their card information, it's encrypted within the iframe before being returned to you for storage. This approach reduces your PCI DSS scope because Evervault hosts the iframe, and you never handle plaintext card data.

Get started with the Card component

Install the Evervault SDK

Our JavaScript SDK is distributed from our CDN, and can be installed by placing this script tag in the head of your HTML file. The SDK must be loaded directly from our CDN and cannot be bundled with your application or self hosted.

1<script src="https://js.evervault.com/v2"></script>

Once the SDK is installed, initialize it using your Team ID and App ID. You can find these in the Evervault Dashboard.

1const evervault = new Evervault("<TEAM_ID>", "<APP_ID>");

You can also install Evervault via the @evervault/js package on npm. This package is a light wrapper which handles loading the SDK from our CDN and also provides TypeScript definitions.

1import { loadEvervault } from "@evervault/js";
2
3const evervault = loadEvervault("<TEAM_ID>", "<APP_ID>");

Frequently Asked Questions

Create a Card component

Initialize the Card component and mount it to a DOM element. See the SDK documentation for available parameters.

1const card = evervault.card({
2  theme: evervault.ui.themes.clean(),
3});
4card.mount("#card-details");

You can customize the appearance of the Card component by passing a custom theme or extending one of our prebuilt themes. Read more about customization.

Submit the encrypted card data to your API

The encrypted card values can be accessed from the card.values object or by subscribing to the change event with the card.on method.

Inside your submit handler, you can access the encrypted card data and pass it to your backend.

1function handleSubmit() {
2  // Pass the encrypted card data to your backend
3  fetch("my-api.com/checkout", {
4    method: "POST",
5    headers: {
6      "Content-Type": "application/json",
7    },
8    body: JSON.stringify({
9      number: card.values.card.number,
10      expiry: card.values.card.expiry,
11      cvc: card.values.card.cvc,
12    }),
13  });
14}

Forwarding encrypted card data

Now that you have the encrypted card data, you need to pass it to a third-party payment processor (Stripe, Adyen, etc.). To do this, you use Relay to decrypt the data after it leaves your infrastructure, and before it reaches the third-party API.

Relay is a network proxy that can be configured to decrypt data during a request. When you proxy a request through Relay, the encrypted card holder data is decrypted, allowing the request to be processed as normal when it reaches the third-party. This means the encrypted card data you collect reaches the PSP as plaintext data, without you ever handling the raw form.

Create a Relay

To simplify this example, we'll use PutsReq to simulate a third-party API. PutsReq provides a temporary endpoint that we can send requests to, however, in practice, this would be an endpoint from a third-party service.

To create a relay for your PutsReq endpoint, navigate to the Relays tab in the Evervault Dashboard, click Create Relay, and add the PutsReq endpoint to the destination field.

Screenshot of the Relay creation form in the Evervault Dashboard.

Configure the relay

By default, relays are just transparent proxies that don't decrypt any data. They can be configured to perform encrypt and decrypt operations on request or response. For this example, the relay needs to decrypt encrypted card data on request as it's proxied to the third-party endpoint.

In the Dashboard, click the Add Route button to configure a new route. We want to decrypt any data being sent to this endpoint, so we can enter /** in the path field to match all requests sent to the relay.

Next, we can add a request action to decrypt any encrypted data in the request body. Select Add Request Action -> Decrypt -> JSON, and enter $..* in the fields to decrypt. This configures the relay to match any encrypted JSON fields in the request body and decrypts them.

You can learn more about field selection in the Relay documentation.

Screenshot of a Relay configured to decrypt all data in the request body.

Integrate the relay

Finally, we can implement our API endpoint to pass encrypted card data to the third-party payment processor using the relay you just created. When requests are sent, card data is automaitcally detected and decrypted before it reaches the third-party API.

1// Replace with Relay URL
2const relayURL = "<PUTSREQ_RELAY_URL>";
3
4// POST /checkout
5router.post("/checkout", async (req, res) => {
6  try {
7    const response = await fetch(relayURL, {
8      method: "POST",
9      headers: {
10        "Content-Type": "application/json",
11        "X-Evervault-App-Id": "<APP_ID>",
12        "X-Evervault-Api-Key": "<API_KEY>",
13      },
14      body: JSON.stringify({
15        number: req.body.number,
16        expiry: req.body.expiry,
17        cvc: req.body.cvc,
18      }),
19    });
20
21    const data = await response.json();
22    res.json(data);
23  } catch (error) {
24    res.status(500).json({ error: error.message });
25  }
26});

Relay authentication

Notice we are sending the X-Evervault-App-Id and X-Evervault-Api-Key headers to the Relay. These headers are used to authenticate the request to the Relay. We recommend enabling Relay authentication when sending requests to third-party APIs.

Customization

The Card component can be fully customized to match the design of your application. By default, the Card component has no styling applied. You can use one of our prebuilt themes to get up and running or build your own theme from scratch.

Prebuilt themes

The SDK has three themes to get you started: clean, minimal, and material.

1evervault.card({
2  theme: evervault.ui.themes.clean(),
3});

Custom themes

A theme is just an object with a styles property. The styles property uses a CSS-as-JS format to define CSS rules for the component. These rules are compiled to CSS and injected into the iframe.

1const theme = {
2  styles: {
3    ":root": {
4      "color-scheme": "light",
5    },
6    label: {
7      fontSize: 11,
8      fontWeight: 500,
9      textTransform: "uppercase",
10    },
11    ".error": {
12      color: "red",
13      fontSize: 12,
14      marginTop: 5,
15    },
16    ".field input": {
17      marginTop: 5,
18      padding: "8px 12px",
19      border: "2px solid #dddddd",
20    },
21    ".field:focus-within input": {
22      borderColor: "#6633ee",
23    },
24  },
25};

You can pass a custom theme as an argument to any of the prebuilt themes to extend them.

1evervault.ui.themes.clean({
2  styles: {
3    label: {
4      color: "#6633ee",
5    },
6  },
7});

Element attributes

Although you can customize the CSS inside of the iframe, you can't modify the HTML. We know that layout can have a big impact on style definitions and so to help with this, we apply custom attributes to various elements within the iframe. These attributes are prefixed with ev-.

You can see our premade UI component themes for an example of how these attributes can be used when creating themes.

fieldset attributes

The following attributes are added to the `<fieldset />` tag that wraps the entire component.

ev-componentCard
The name of the component.
ev-validtrue | false
Whether or not all of the fields within the component are valid.

.field Attributes

Each field in the component is wrapped in a <div /> with a '.field' class and the following attributes.

ev-namename | number | expiry | cvc
The name for the individual field within the component.
ev-validtrue | false
Whether or not the field is valid.
ev-has-valuetrue | false
Whether or not the input has a value.

Custom fonts

You can load additional fonts from Google Fonts by providing a fonts array in the theme definition. Currently, we only support custom fonts via Google Fonts.

1const theme = {
2  fonts: ["https://fonts.googleapis.com/css2?family=Comic+Neue"],
3  styles: {
4    input: {
5      fontFamily: "'Comic Neue'",
6    },
7  },
8};

Responsive styling

You can define media queries inside of the themes styles object, however, this may lead to unexpected behaviour as the media queries are matched against the iframe document, not the parent document. To get around this, we provide a media utility which allows you to define styles based on media queries that match the parent document.

To access the media utility, you need to define your theme as a function that returns a theme object. This function is passed a utilities object as an argument, which contains the media utility. The media utility should be spread into the styles object of the returned theme.

1const theme = (utilities) => {
2  return {
3    styles: {
4      label: {
5        fontSize: 16,
6      },
7      ...utilities.media("(max-width: 400px)", {
8        label: {
9          fontSize: 20,
10        },
11      }),
12    },
13  };
14};

Custom card brands

By default, the card component recognizes a fixed set of card networks but you can extend it with your own brands using evervault.brands.create. This creates a brand which you can then pass into the card component with the customBrands option.

1const acmeBrand = evervault.brands.create("acme-card", {
2  numberValidationRules: {
3    ranges: [[88000, 88999]],
4    lengths: [16],
5  },
6  securityCodeValidationRules: {
7    lengths: [3],
8  },
9  iconSrc: "https://your-cdn.com/acme-icon.svg",
10});
11
12const card = evervault.ui.card({
13  customBrands: [acmeBrand],
14});
15
16card.on("change", (data) => {
17  // "acme-card" appears in data.card.localBrands when a matching number is entered
18  console.log(data.card.localBrands);
19});

The ranges argument accepts a BIN prefix (e.g., 9900) or an inclusive range of prefixes (e.g., [88000, 88999]). The card component always accepts custom brands, even if acceptedBrands is set to restrict standard networks.

What's next

3D Secure
Learn how to use 3D Secure to authenticate your customers and reduce fraud.
Network Tokens
Learn how to use Network Tokens to protect your customers' cards and improve authorization rates.

Other collection methods

For card collection, we generally recommend using our UI components, but if those don't work for your use case, you can also collect card information server to server and with our SDKs (each SDK has an encrypt method). These options can impact your compliance scope depending on what you implement. If the flow you build exposes you to plaintext card data, it can increase your PCI DSS scope.

For server to server, create a relay that encrypts data for inbound requests to your server. The external server making the call needs to send the request to your relay, which encrypts the sensitive data and then forwards the request to your server. For client side encryption with the SDK, use the encrypt method.

Card Collection

Frequently Asked Questions

Why does the SDK need to be loaded from the CDN?

How do I get my Team ID and App ID?

Can I load the SDK asynchronously?

Relay authentication

fieldset attributes

.field Attributes