Card Management

The Card resource represents a card under an account.

INFO

Mansar provides a cross-platform suite of flexible and customizable white-label UI components, including a card component. You may embed the card component into your app to shorten your time to market and deliver a highly optimized experience to your end customer with minimal engineering investment.

NOTE

Mansar enables you to programmatically review card Authorization Requests when they are made, and decide whether to approve the purchase. This capability gives complete control and visibility into card use.

Card Resource Types

There are multiple types of card resources on Mansar, each solves for specific use cases. The table below outlines the different types and use cases.

Type
Details

IndividualVirtualPrepaidCard

A virtual prepaid card belonging to an Individual customer, including sole proprietors. The details of the card holder (name, email, phone number etc.) will be the individual customer's details.

BusinessVirtualPrepaidCard

A virtual prepaid card belonging to a Business customer. The cardholder may be any person associated with the business. The details of the card holder (name, email, phone number etc.) will be provided as part of the card creation request. In order to create the customer token that is needed to reveal the card information, the card holder must be the business contact or an (authorized user)[/api/customers/#authorized-users].

INFO

Cards issued to sole proprietors are business cards for all intents and purposes (BIN, interchange etc.)

Card Statuses

Cards have a Status Property, which represent their current status and determines what actions can or can't be completed using the card.

Status
Description
Comments

Inactive

The Card has not been activated by the Customer

Cards can be activated using the Activate card or by calling a the toll-free number printed on the card. Virtual cards do not require activation.

Active

The Card has been activated and can be used regularly

Stolen

The Card has been reported stolen by the Customer

A stolen card cannot be reopened.

Lost

The Card has been reported lost by the customer

A lost card cannot be reopened.

Frozen

The Card has been frozen

ClosedByCustomer

The Card has been closed by the Customer

A closed card cannot be reopened.

SuspectedFraud

The Card has been flagged due to fraud suspicion

Cards are defined as "SuspectedFraud" by the card network (e.g. Visa). The network will reach out to the client to confirm recent transactions that were marked as potentially fraudulent and reactivate the card if the transactions are confirmed as not fraudulent. If the transactions are marked as fraudulent or if the client does not respond to the card network, the card will remain in SuspectedFraud status and cannot be used.

INFO

One month before a card (physical or virtual) is due to expire the network and card printer (for physical cards) will automatically re-issue a new card with the same card number, the new expiration date, and the new CVV.

Cards are excluded from automatic re-reissue if one of these conditions applies:

  • The status is not active (i.e., stolen, lost, frozen, closed by customer, suspected fraud)

  • The card has not been activated by the customer (i.e., inactive)

  • There is no card activity in the last 6 months - this includes all card-related transactions

The new cards are issued with 4-year validity. Virtual cards are issued ready to use instantly. New physical cards require to be activated by the customer before the first use. Activation of the new card blocks the old cards from being used further.

Create Individual Virtual Prepaid Card

Creates a prepaid card for an individual. You must link the card to an account using the account field under relationships object. The linked account must belong to an individual customer (and not a business). The card creation request supports Idempotency, ensuring that performing multiple identical requests will have the same effect as performing a single request.

NOTE

For security reasons, an individual customer's account may have up to one virtual card in Active status.

To change this policy in your org, please contact Mansar. Cards that were reported lost, reported stolen, or closed do not count as active.

NOTE

Unlike physical cards, virtual cards are created in Active status and do not require activation.

Verb

POST

Url

https://api.s.usemansar.xyz/cards

Required Scope

cards-write

Data Type

individualVirtualPrepaidCard

Timeout (Seconds)

120

Attributes

Name
Type
Description

idempotencyKey

string

Optional.

tags

object

Optional.

limits

object

Optional.

expiryDate

string

Optional. Expiration date of the card in one of the formats MM/yy or yyyy-MM or yy-MM (e.g. "03/27"). Must be between 3 to 5 years. Default is 4 years.

Relationships

Name
Type
Description

account

JSON:API Relationship

Link to the account the card belongs to. Holder of the account must be an individual.

customer

JSON:API Relationship

Optional, Link to the customer the card belongs to. Mandatory if the account has more than one customer. Holder of the account must be an individual.

Example Request:

Response

Response is a JSON:API document.

201 Created

Field
Type
Description

data

IndividualVirtualPrepaidCard

The target resource after the operation was completed.

Example Response:

Create Business Virtual Prepaid Card

Creates a prepaid card for a business. You must link the card to an account using the account field under relationships object. The linked account must belong to a business customer. The card creation request supports Idempotency, ensuring that performing multiple identical requests will have the same effect as performing a single request.

NOTE

When creating a business prepaid card, the card holder's personal information must be provided as part of the request.

NOTE

For security reasons, a card holder of a business prepaid card may have up to one virtual card in Active or newly created (Inactive) status.

To change this policy in your org, please contact Mansar. Cards that were reported lost, reported stolen, or closed do not count as active.

NOTE

Unlike physical cards, virtual cards are created in Active status and do not require activation.

Verb

POST

Url

https://api.s.usemansar.xyz/cards

Required Scope

cards-write

Data Type

businessVirtualPrepaidCard

Timeout (Seconds)

120

Attributes

Name
Type
Description

fullName

FullName

Full name of the card holder.

dateOfBirth

RFC3339 Date string

Date of birth of the card holder (e.g. "2001-08-15").

address

Address

Address of the card holder.

phone

Phone

Phone of the card holder.

email

string

Email address of the card holder.

idempotencyKey

string

Optional.

tags

object

Optional.

limits

object

Optional.

expiryDate

string

Optional. Expiration date of the card in one of the formats MM/yy or yyyy-MM or yy-MM (e.g. "03/27"). Must be between 3 to 5 years. Default is 4 years.

idn

string

IDN (or ITIN) of the individual (numbers only). Either an idn or passport is required.

passport

string

Optional. Passport number of the individual.

nationality

ISO31661-Alpha2 string

Required if a passport is used as the main ID. Two letters representing the individual nationality. (e.g. "CM").

Relationships

Name
Type
Description

account

JSON:API Relationship

The account the card belongs to. Holder of the account must be a business.

Example Request:

Response

Response is a JSON:API document.

201 Created

Field
Type
Description

data

BusinessVirtualPrepaidCard

The target resource after the operation was completed.

Example Response:

Displaying Sensitive Card Data

In order to display sensitive card data (card number and CVV2) to a customer, without any of it passing through your systems (which would subject you to PCI compliance requirements), Mansar utilizes a 3rd party service called Very Good Security or VGS for short.

INFO

Displaying card number and CVV2 for physical virtual cards is disabled by default for security reasons.

This functionality can be enabled on Virtual dashboard at: Settings -> Org Settings -> General -> Show sensitive data for virtual cards.

NOTE

Displaying and setting of sensitive card data is only available for active cards.

VGS provides a JavaScript library (as well as iOS and Android SDKs) called VGS Show which allows easy integration with your UI components. VGS Show offloads the PCI compliance burden by enabling the encrypted transmission of sensitive card data from VGS directly to your cardholder.

The VGS Show JavaScript library enables you to securely display sensitive data in a webpage while safely isolating that sensitive data from your systems. VGS Show JavaScript library injects a secure iframe into your HTML. VGS hosts both the iframe, and the data on secure, compliant servers.

Integration steps

Import the VGS Show library:

<script type="text/javascript" src="https://js.verygoodvault.com/vgs-show/1.5/ACh8JJTM42LYxwe2wfGQxwj5.js"></script>

Initialize the component:

const show = VGSShow.create('tntazhyknp1');

Vault ID:

Environment
Vault Id

Sandbox

tntazhyknp1

Live

tnt8w6nrmbu

Provide a valid customer token:

const customerToken = "<CUSTOMER TOKEN>"

CAUTION

The customer token is required to include the cards-sensitive scope.

Mansar recommends avoiding adding additional scopes to the token.

Provide a valid card identifier

path: '/cards/<CARD ID>/secure-data/cvv2'

  • Note: Timeout for this API is 120 seconds

Example of creating a Customer Token for sensitive data:

Additional resources

Example of displaying card number and CVV2:

Activate Card

In order to activate a new card, without any sensitive data passing through your systems (which requires PCI compliance), Mansar utilizes a 3rd party service called Very Good Security or VGS for short.

VGS provides a JavaScript library (as well as iOS and Android SDKs) called VGS Collect which allows easy integration with your UI components. VGS Collect offloads the PCI compliance burden by enabling the encrypted transmission of sensitive card data from VGS directly to the card processor.

VGS Collect JavaScript library injects a secure iframe into your HTML. VGS hosts both the iframe, and the data on secure, compliant servers.

NOTE

Unlike physical cards, virtual cards are created in Active status and do not require activation

Integration steps

Import the VGS Collect library:

<script type="text/javascript" src="https://js.verygoodvault.com/vgs-collect/2.12.0/vgs-collect.js"></script>

Initialize the component:

const form = VGSCollect.create("tntazhyknp1", "sandbox", function(state) {});

Parameters:

Environment
Vault Id
Environment Name

Sandbox

tntazhyknp1

sandbox

Live

tnt8w6nrmbu

live

Provide a valid customer token:

const customerToken = "<CUSTOMER TOKEN>"

CAUTION

The customer token is required to include the cards-sensitive-write scope.

Mansar recommends avoiding adding additional scopes to the token

.

Provide a valid card identifier:

path: '/cards/<CARD ID>/activate'

Required field names and formats:

  • CVV2 field name should be data.attributes.cvv2.

  • Expiration Date field name should be data.attributes.expirationDate.

  • Expiration Date field format should be YYYY-MM.

  • Note: Timeout for this API is 120 seconds

Testing on Sandbox:

  • To simulate the scenario where the customer provides invalid data - send 1970-01 as the expiration date.

  • Sending anything other than that will result in a successful card activation.

Example of creating a Customer Token for Activate Card:

Example of Activate Card:

Report Stolen

Report card as stolen.

Verb

POST

Url

https://api.s.usemansar.xyz/cards/:cardId/report-stolen

Required Scope

cards-write

Timeout (Seconds)

5

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

Report Lost

Report card as lost.

Verb

POST

Url

https://api.s.usemansar.xyz/cards/:cardId/report-lost

Required Scope

cards-write

Timeout (Seconds)

5

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

Close Card

Close a card.

Verb

POST

Url

https://api.s.usemansar.xyz/cards/:cardId/close

Required Scope

cards-write

Timeout (Seconds)

5

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

Freeze Card

Freeze a card (temporarily block a card).

Verb

POST

Url

https://api.s.usemansar.xyz/cards/:cardId/freeze

Required Scope

cards-write

Timeout (Seconds)

5

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

Unfreeze Card

Unfreeze a frozen card.

Verb

POST

Url

https://api.s.usemansar.xyz/cards/:cardId/unfreeze

Required Scope

cards-write

Timeout (Seconds)

5

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

Get by Id

Get a card resource by id.

Verb

GET

Url

https://api.s.usemansar.xyz/cards/{id}

Required Scope

cards

Timeout (Seconds)

5

Query Parameters

Name
Type
Default
Description

include

string

(empty)

Optional. A comma-separated list of related resources to include in the response. Related resources include: customer, account.

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Card resource, distinguished by the type field.

included

Array of CheckingAccount or DepositAccount or Customer

Array of resources requested by the include query parameter.

List

List cards. Filtering and paging can be applied.

Verb

GET

Url

https://api.s.usemansar.xyz/cards

Required Scope

cards

Timeout (Seconds)

5

Query Parameters

Name
Type
Default
Description

page[limit]

integer

100

Optional. Maximum number of resources that will be returned. Maximum is 1000 resources.

page[offset]

integer

0

Optional. Number of resources to skip.

filter[accountId]

string

(empty)

Optional. Filters the results by the specified account id.

filter[customerId]

string

(empty)

Optional. Filters the results by the specified customer id.

filter[tags]

Tags (JSON)

(empty)

Optional. Filter Cards by Tags.

filter[status][]

string

(empty)

Optional. Filter cards by Card Status. Usage example: filter[status][0]=Stolen&filter[status][1]=Lost

include

string

(empty)

Optional. A comma-separated list of related resources to include in the response. Related resources include: customer, account.

sort

string

sort=createdAt

Optional. sort=createdAt for ascending order or sort=-createdAt (leading minus sign) for descending order.

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

Array of IndividualVirtualPrepaidCard or BusinessVirtualPrepaidCard

Array of card resources, distinguished by the type field.

included

Array of Checking Account, DepositAccount or Customer

Array of resources requested by the include query parameter.

Example Response:

Update

Update a virtual card.

NOTE

Card creation requests are sent to the printer at 3AM EST daily. Therefore updates that are made past this time will only change the records but not the physical card.

Verb

PATCH

Url

https://api.s.usemansar.xyz/cards/:cardId

Required Scope

cards-write

Timeout (Seconds)

5

Update Individual Virtual Prepaid Card

Name
Type
Description

design

string

Optional. Card design name. To modify or add specify the key and value.

tags

object

Optional.

limits

object

Optional.

Update Business Virtual Prepaid Card

Name
Type
Description

address

Address

Optional. Address of the card holder. To modify or add specify the new address.

phone

Phone

Optional. Phone of the card holder. To modify or add specify the new phone number.

email

string

Optional. Email address of the card holder. To modify or add specify the new email address.

design

string

Optional. Card design name. To modify or add specify the key and value.

tags

object

Optional.

limits

object

Optional.

Update Individual Virtual Debit Card

Name
Type
Description

tags

object

Optional.

limits

object

Optional.

Update Business Virtual Debit Card

Name
Type
Description

address

Address

Optional. Address of the card holder. To modify or add specify the new address.

phone

Phone

Optional. Phone of the card holder. To modify or add specify the new phone number.

email

string

Optional. Email address of the card holder. To modify or add specify the new email address.

tags

object

Optional.

limits

object

Optional.

Response

Response is a JSON:API document.

200 OK

Field
Type
Description

data

BusinessVirtualPrepaidCard Or IndividualVirtualPrepaidCard resource

The target resource after the operation was completed.

Example of update business virtual prepaid card:

Limits

Verb

GET

Url

https://api.s.usemansar.xyz/cards/:cardId/limits

Timeout (Seconds)

5

Card purchases and withdrawals can be subjected to daily and monthly amount limits. Limits are optional (by default there are no card-specific limits), and can be set when the card is created or updated. The limits are enforced by Mansar, and once the limit is reached, the transaction will be rejected.

The daily limits reset at 12:00 a.m. on the timezone of relevant bank. The monthly limits are reset at the same time on the first of each month.

INFO

Card level limits card-specific are used to allow more granular control and flexibility. The account limits on card activity are enforced in addition to them, across all cards that belong to a certain account combined (i.e. a customer who owns two cards with card ATM Withdrawal Limits of 300,000XAF cannot withdraw 300,000XAF on both cards if their deposit product ATM Withdrawal Limit is set to 500,000XAF).

PreviousStatementsNextAuthorizations

Last updated