Atomic logo

Card Data Environment (CDE) Bypass

By default, Atomic uses a Card Data Environment (CDE) to securely receive and manage sensitive card data through our API. However, if you prefer to transmit card data directly from your user's device to third-party systems, you can use the CDE Bypass flow instead.

The CDE Bypass flow enables you to securely send sensitive card data directly from the user's device to third-party systems without routing that data through Atomic's servers. This approach gives you complete control over data handling while maintaining security compliance and reducing your integration complexity.

This guide is ideal if you want to:

  • Reduce data transmission through third-party infrastructure
  • Simplify compliance requirements by avoiding data storage intermediaries
  • Minimize integration points for sensitive data inside your app

Prerequisite: This integration requires that your application already has access to complete card data (PAN, expiry date, CVV/CVC).

The CDE Bypass integration involves five key components working together:

  • Your Client Application:
  • Your user-facing application where customers interact with your service. You'll embed Atomic within your experience, typically launching it via a call-to-action button.

  • Your Backend Service:
  • Your server-side application that handles secure communication with Atomic's API. When a user initiates the flow, your backend requests an access token from Atomic.

  • Atomic API:
  • Atomic's backend service that manages authentication, processes your requests, and sends secure commands to the Transact SDK running on the user's device.

  • Transact SDK:
  • Atomic's client-side component that you embed in your application. It manages the user interface, handles user interactions, and securely processes sensitive card data directly on the user's device.

  • Third-Party Systems:
  • External services (such as merchants or digital wallets) that receive and process the card updates on behalf of your users.

Security Note: In the CDE Bypass flow, sensitive card data (PAN and CVV/CVC) never leaves the user's device and is transmitted directly to third-party systems, bypassing Atomic's servers entirely.

Your user clicks a call-to-action in your application. Your client application then requests an access token from your backend service.

Your backend sends a request to Atomic's API with a unique user identifier. For CDE Bypass flow, only the user identifier is required, no card data is sent at this stage.

Security Note: This request uses your API Key and Secret for secure, machine-to-machine authentication. See API Key and Secret for details.

Atomic's API returns a public token to your backend, which you forward to your client application. This token authorizes your app to launch the Transact SDK.

Your client application initializes the Transact SDK using the public token. Configure the SDK with deferredPaymentMethod set to sdk and register the onDataRequest event handler.

For complete configuration options, see Transact SDK parameters and event listeners.

The user selects their merchant within the SDK (or is deeplinked to a specific merchant) and completes authentication. Once authenticated, Atomic is authorized to perform the requested card update task.

After authentication, the SDK triggers the onDataRequest event. Your application must respond with the required card data and user identity information, depending on what has not been provided in previous steps.

Implementation Requirements:

  • Listen for the onDataRequest event in your Transact SDK implementation. See onDataRequest documentation for complete details.
  • Respond with the complete card data (PAN, expiry date, CVV/CVC) and user identity information through the SDK's response method.
  • Important: Only one card can be processed per transaction.

Atomic securely transmits the card data directly through the user's device to the third-party system (merchant or digital wallet). The user receives real-time status updates through the SDK interface, and your application can track progress through real-time SDK events.

Consider these optional enhancements for production implementations:

  • Webhooks: Receive real-time notifications about task completion status, enabling you to update your user interface even when the app is closed or experiencing network issues.
  • API Status Queries: Retrieve detailed task information and status updates directly from Atomic's API for comprehensive monitoring.