Klarna Docs - Overview of Merchant Card Service

Overview of Merchant Card Service

Settle orders with virtual credit cards issued by Klarna

Merchant Card Service(MCS) lets you settle orders with virtual credit cards issued by Klarna. We offer prepaid, single use, and multiple use cards in all European currencies as well as in USD.

If you operate in a market where your customers don’t have credit cards, but you still want to have them as customers you can integrate with Klarna. The consumer can then do their payment as they want and you get a credit card issued by Klarna that you can use in your normal card flow.

If you own a marketplace with different merchants acting on your platform, you can settle customer’s payments towards the merchants via Klarna’s virtual credit cards. Each merchant can independently settle their part of an order. You can choose to settle payments with one card for each merchant or provide a single card with multiple usage to all merchants involved in an order.

When using MCS, no changes are needed to your current integration to Klarna’s checkout. If you only want to use the checkout or Klarna payment capabilities without the ordering handling done on Klarna’s side you can integrate with a card and use it in your normal order handling system.

  1. Enroll as virtual credit card merchant
  2. Read the section Encryption and decryption of card data
  3. Integrate to MCS’ endpoints: API Reference

To protect the sensitive virtual credit card data, we perform encryption on the card data before sending them to you.

The data is encrypted using a 128 bit symmetric key using the following algorithm: AES/CTR/NoPadding. The symmetric key is then encrypted with the public key you enrolled using the following algorithm: RSA/ECB/PKCS1Padding. The RSA keypair generated by you must be at least of the size 2048 bits. Please provide your public key in JWK format.

Each public key is given an key_id that is used by you in the settlement request. It is possible to have more than one active public key.

You can use the following commands to generate a new private/public key pair:

openssl genrsa -out private_key.pem 4096openssl rsa -in private_key.pem -outform PEM -pubout -out public_key.pem

Now you can use the tool of your choice to convert the public key from .pem format to .jwk format. For example with this JavaScript tool pem-jwk:

pem-jwk public_key.pem > public_key.jwk

Please make sure to securely store your private key as it is integrity of the virtual credit card data.

When you request a card you have to provide a key_id to the public key you want to use. This key will be used to encrypt the symmetric key used to encrypt the card details.

When requesting a virtual credit card, you will find in the response the following fields. These are used to decrypt the sensitive card data.

    "pci_data": "string",
    "iv": "string",
    "aes_key": "string"

The sensitive card data pci_data is encrypted by a generated symmetric key aes_key which itself is encrypted by your public key.

To decrypt the card data, perform these steps:

  1. Base64 decode aes_key
  2. Decrypt decoded aes_key using your private key
  3. Base64 decode pci_data
  4. Decrypt decoded pci_data using decrypted aes_key and iv (initialization vector)

Make sure you are using the private key which corresponds to the key_id you provided when you requested the card.

In the decrypted data the card information in plaintext is available and formatted as a JSON object. Here’s an example of decrypted card information.

    "pan": "4111111111111",
    "expiry_date": "01/19",
    "cvv": "789"