1.9 KiB
1.9 KiB
Card Networks (Visa, Mastercard, Amex, Discover, Diners)
Scope
Card rails are private routing artifacts (BIN tables, acquirer routing). There is no public "discover Visa endpoint" behavior. Ingestion is from internal systems only; strong encryption and access controls apply. The directory stores routing tables and returns directives to an ISO8583/API switch. Never store PAN; BIN ranges only. Merchant ID (MID), Terminal ID (TID), and contract identifiers are Tier 2 (confidential)—encrypt at rest and restrict access. See data-classification.
Identifier Taxonomy
- pan.bin — BIN/IIN range (6–8 digits only); never full PAN.
- mid, tid, caid — Merchant/terminal/card-acceptor IDs (tenant-scoped).
- processorId / acquirerId — Tenant/contract scoped.
- network.brand — Constraint: visa, mastercard, amex, discover, diners.
Do not store PAN or token values in plaintext.
Endpoints
- iso8583.tcp — Host:port, mTLS/VPN.
- api.https — Base URL + auth.
- file.sftp — Clearing files.
- mq — Internal switch.
Profile indicates channel (e.g. visa-base1, mc-mip).
BIN-Table Model
- Artifact type: bin_table. Payload: versioned entries with binPrefix, binLength, brand, region, routingTarget, optional tenantId.
- Resolver matches request BIN to longest-matching prefix and returns directive with target_address = routingTarget. Per-tenant overrides supported.
Directive Outputs
- ISO8583: target_protocol iso8583, target_address host:port.
- API: target_protocol api/https, target_address base URL.
Capabilities: auth.request/response, clearing.presentment, chargeback, reversal, advice, tokenization, 3ds.
Security
- Store BIN ranges only; no PAN/token. Field-level encryption for merchant/terminal IDs. Strict RBAC and audit for card-related records. See security/key-reference-model.md.