Full card numbers vs card tokens

Sending card tokens versus full card numbers via API

By default, Helcim merchants cannot send full card numbers, expiry dates or CVVs via the API. This is to reduce the security scope and PCI-DSS compliant requirements of our merchants. Instead, we encourage merchants to tokenization card numbers using the Helcim.js tool.


Special Permission

Merchants can request permission to send full cardholder information if their unique integration needs require for this. If you want to send full card numbers through the Helcim API you will need to do the following:

  1. Contact Helcim to review your business needs BEFORE signing up for Helcim
  2. Once you have spoken to Helcim, you can proceed with completing your sign up
  3. After signing up, read, complete, and sign the PCI SAQ-D within 90 days. Your dashboard will start to remind you 45 days after your account activation.
  4. Once complete, the SAQ-D needs to be uploaded to the dashboard in your Helcim account

The SAQ-D must be completed, signed and uploaded annually. You will be responsible for complying with all of the obligations of the SAQ-D, for example arranging to have your network scanned. Please also note that AVS information will be mandatory for all transactions.

If your Helcim account configurations allows for full cardholder information, below are the API POST fields that should be sent in lieu of the cardToken and cardF4L4 fields. These can be used for "purchase", "pre-authorization", and "verify" transactions.

Field NameFormatDescription
cardHolderNamestringThe cardholder full name.
cardNumberstring (13-16 length)The full card number, which can vary between 13 and 16 digits based on the card type.
cardExpirystring (4 length)The card expiry date, in MMYY format (total of 4 digits without spaces or slashes).
cardCVVstring (3-4 length)The card CVV (3-4 digits on back of credit card). American Express shows this number on the front fo the card.
cardHolderAddressstringThe cardholder's stress address.
cardHolderPostalCodestringThe cardholder's postal code.