Get masked card list for a customer (deprecated)
DEPRECATED - Use the getDetailsByKitNo API instead for new integrations.
Retrieve a customer card list with masked or full card numbers depending on your PCI DSS certification status. Only PCI DSS certified partners can view full card numbers. Others receive masked card numbers in the format 5123XXXXXX1234.
All arrays in the response are index-aligned. Index 0 in cardList corresponds to index 0 in kitList, expiryDateList, cardStatusList, cardTypeList, and networkTypeList.
Only the entityId field is used by this API. Other fields from the BlockCardDto schema (kitNo, flag, reason) are ignored by the backend.
Authorization
BearerAuth TenantHeader JWT Bearer token obtained from the /auth/login endpoint
In: header
Tenant identifier provided by M2P (e.g. ENBDTABBY)
In: header
Request Body
application/json
Customer ID used to fetch the card list. This is the only field used by this API.
length <= 16Response Body
application/json
application/json
curl -X POST "https://api.m2p.com/Yappay/business-entity-manager/v3/getCardList" \ -H "Content-Type: application/json" \ -d '{ "entityId": "ABCDEF" }'{
"result": {
"cardList": [
"5123XXXXXX1234"
],
"kitList": [
"00000123456"
],
"expiryDateList": [
"1021"
],
"cardStatusList": [
"ALLOCATED"
],
"cardTypeList": [
"PHYSICAL"
],
"networkTypeList": [
"VISA"
]
},
"exception": null,
"pagination": null
}{
"result": null,
"exception": {
"detailMessage": "Customer Id should not be empty",
"shortMessage": "Customer Id should not be empty",
"errorCode": "Y1001",
"languageCode": "en"
},
"pagination": null
}Get full card details by kit number POST
Retrieve complete card details including full card number (PAN), name on card, expiry date, and CVV using the kit number. This API returns sensitive card data and must be used only for authorized operations. Both kitNo and token are explicitly validated by the backend. The token is a security token unique to your tenant, provided by M2P during onboarding. It is validated against the m2pBitUrlKey configuration. Ensure secure storage and transmission of the response data in compliance with PCI DSS. This is the recommended API for retrieving card details in external integrations, replacing the older deprecated generateCVV endpoint. When Click to Pay (CTP) is enabled for the tenant, the response includes additional fields: ctpStatus (card-level CTP enrollment status) and ctpPaymentInstrumentId (Visa CTP payment instrument identifier). These fields are only present when CTP is enabled via the BUSINESSCUSTOMFIELD click.to.pay.enable configuration.
Lock, unlock, or permanently block a card POST
Change the status of a customer card. Supports temporary locking, unlocking a locked card, and permanent blocking. Lock (L) is a reversible action that temporarily disables the card. The card can be re-enabled by calling this API with Unlock (UL). Block (BL) is a PERMANENT action. Once a card is blocked, it cannot be reactivated. The customer will need a card replacement through the replaceCard API. Either entityId or kitNo must be provided to identify the card. The flag field is the only truly mandatory field with controller-level validation. Always provide a meaningful reason for audit trail purposes.