Skip to main content

Overview

Contro provides two methods to access sensitive card data (PAN, CVV, expiry date). The right choice depends on your PCI DSS compliance status and how you want to handle card data.
Card data is highly sensitive and regulated. Not every organization is permitted to store or process this information directly. Choose the method that matches your compliance posture.

Decision flowchart

Methods compared

AspectDirect APIEmbedded widget
PCI DSS requiredYes (SAQ-D)No - reduced scope (SAQ-A)
Card data touches your serversYes (RSA-encrypted)No
UI customizationFull control - you build the UICSS stylesheet on Contro-hosted widget
Implementation effortHigher - key management + decryptionLower - embed an iframe
Best forBackend systems, batch operations, custom UIsEnd-user card reveal UIs
EndpointGET /partner/cards/{id}/revealPOST /partner/cards/{id}/reveal-html

Direct API

Best for: Organizations with PCI DSS compliance that need card data on their servers - backend processing, batch operations, or fully custom card display UIs. How it works:
  1. Upload your RSA public key to Contro
  2. Call the reveal endpoint
  3. Decrypt the RSA-encrypted response with your private key
  4. Use the card data however you need
Card data is encrypted end-to-end with your RSA key. Contro never exposes plaintext card data in API responses.

Direct API guide

Full setup: key generation, upload, API call, and decryption examples

Embedded widget

Best for: Organizations that want to show card data to end-users without handling sensitive data on their servers. No PCI DSS certification needed. How it works:
  1. Configure allowed origins in your dashboard settings
  2. Generate a short-lived, single-use signed URL via API
  3. Embed the URL in an iframe - Contro renders the card data
  4. Optionally apply custom CSS for branding
Sensitive data never touches your servers. The widget is hosted by Contro with strict CSP headers, single-use tokens, and 60-second expiry.

Embedded widget guide

Full setup: origin configuration, URL generation, iframe embedding, and styling

Security

Both methods are designed with security as a default:
  • Direct API: RSA-4096 encryption with OAEP-SHA256. Card data is encrypted before leaving Contro’s servers.
  • Embedded widget: Single-use tokens, 60-second expiry, frame-ancestors CSP restricted to your allowed origins.
  • Sandbox testing: Both methods work with sk_test_ keys using test card data - no real card data is exposed during development.

Next steps

  1. Determine your PCI status - if unsure, start with the embedded widget for faster integration
  2. Set up sandbox testing - both methods return test data with sk_test_ API keys
  3. Configure settings - upload your RSA key or set allowed origins in https://partner.contro.me/settings