Full Card Numbers vs Card Tokens

Sending full card numbers vs card tokens through the Helcim API.

By default, Helcim merchants cannot send full card numbers, expiry dates, or CVV numbers via the Helcim API. This is to reduce the security scope and PCI-DSS compliance requirements of our merchants. Instead, we encourage merchants to tokenize card numbers using HelcimPay.js or Helcim.js before submitting them to one of the Payment API endpoints.


Special Permission:

Merchants can request permission to send full cardholder information if their unique integration needs require this. If you want to send full card numbers through the Helcim API you will need to do the following:

  1. Contact Helcim to review your business needs BEFORE signing up for Helcim
  2. Once you have spoken to Helcim, you can proceed with completing your sign up
  3. After signing up, read, complete, and sign the PCI SAQ-D within 90 days. Your dashboard will start to remind you 45 days after your account activation.
  4. Once complete, the SAQ-D needs to be uploaded to the dashboard in your Helcim account

The SAQ-D must be completed with an independent third party auditor, signed and then uploaded annually. You will be responsible for complying with all of the obligations of the SAQ-D, for example arranging to have your network scanned. Please also note that AVS information will be mandatory for all transactions.

If your Helcim account configurations allows for full card information, below are the required cardData body parameters that should be sent in lieu of the cardToken details. Full card numbers can be used for "purchase", "pre-authorization", and "verify" transaction API endpoints.

Please review our documentation for more information on processing through our Payment API endpoints.

Field NameFormatDescription
cardNumberstring (13-16 length)The full card number, which can vary between 13 and 16 digits based on the card type.
cardExpirystring (4 length)The card expiry date, in MMYY format (total of 4 digits without spaces or slashes, including a leading zero for single digit months).
cardCVVstring (3-4 length)The card CVV (3-4 digits on back of credit card). American Express shows this number on the front of the card.

Using Card Tokens

Your website or application should store relevant cardToken information and use these when processing in lieu of full card numbers if you are not approved to send with them. The card token is not considered sensitive cardholder information and can only be used within the Helcim system, unless migrated to another PCI compliant payment processor through a secure data migration process.

When ready to process a new payment, the cardToken should be sent to the Helcim Payment API endpoint in the cardData object instead of the credit card number, expiry and CVV fields.

Field NameFormatDescription
cardTokenString (23)The 23-digit, alpha-numeric card token representing the stored card information.