Card Data Environment (CDE) Bypass
By default, Atomic uses a Card Data Environment (CDE) to securely receive and manage sensitive card data through our API. However, if you prefer to transmit card data directly from your user's device to third-party systems, you can use the CDE Bypass flow instead.
The CDE Bypass flow enables you to securely send sensitive card data directly from the user's device to third-party systems without routing that data through Atomic's servers. This approach gives you complete control over data handling while maintaining security compliance and reducing your integration complexity.
This guide is ideal if you want to:
- Reduce data transmission through third-party infrastructure
- Simplify compliance requirements by avoiding data storage intermediaries
- Minimize integration points for sensitive data inside your app
Prerequisite: This integration requires that your application already has access to complete card data (PAN, expiry date, CVV/CVC).
Integration Overview
The CDE Bypass integration involves five key components working together:
- Your Client Application:
- Your Backend Service:
- Atomic API:
- Transact SDK:
- Third-Party Systems:
Your user-facing application where customers interact with your service. You'll embed Atomic within your experience, typically launching it via a call-to-action button.
Your server-side application that handles secure communication with Atomic's API. When a user initiates the flow, your backend requests an access token from Atomic.
Atomic's backend service that manages authentication, processes your requests, and sends secure commands to the Transact SDK running on the user's device.
Atomic's client-side component that you embed in your application. It manages the user interface, handles user interactions, and securely processes sensitive card data directly on the user's device.
External services (such as merchants or digital wallets) that receive and process the card updates on behalf of your users.
Step-by-Step CDE Bypass
Step 1: User Initiates Flow
Your user clicks a call-to-action in your application. Your client application then requests an access token from your backend service.
Step 2: Create Access Token
Your backend sends a request to Atomic's API with a unique user identifier. For CDE Bypass flow, only the user identifier is required, no card data is sent at this stage.
Step 3: Return Public Token
Atomic's API returns a public token to your backend, which you forward to your client application. This token authorizes your app to launch the Transact SDK.
Step 4: Initialize Transact SDK
Your client application initializes the Transact SDK using the public token. Configure the SDK with deferredPaymentMethod
set to sdk
and register the onDataRequest
event handler.
For complete configuration options, see Transact SDK parameters and event listeners.
Step 5: User Authentication
The user selects their merchant within the SDK (or is deeplinked to a specific merchant) and completes authentication. Once authenticated, Atomic is authorized to perform the requested card update task.
Step 6: Provide Card Data
After authentication, the SDK triggers the onDataRequest
event. Your application must respond with the required card data and user identity information, depending on what has not been provided in previous steps.
Implementation Requirements:
- Listen for the
onDataRequest
event in your Transact SDK implementation. See onDataRequest documentation for complete details. - Respond with the complete card data (PAN, expiry date, CVV/CVC) and user identity information through the SDK's response method.
- Important: Only one card can be processed per transaction.
Step 7: Complete Card Update
Atomic securely transmits the card data directly through the user's device to the third-party system (merchant or digital wallet). The user receives real-time status updates through the SDK interface, and your application can track progress through real-time SDK events.
Additional Integration Options
Consider these optional enhancements for production implementations:
- Webhooks: Receive real-time notifications about task completion status, enabling you to update your user interface even when the app is closed or experiencing network issues.
- API Status Queries: Retrieve detailed task information and status updates directly from Atomic's API for comprehensive monitoring.