Set or change the card PIN
Set or change the PIN for a customer card. The PIN never travels in cleartext. It must be encrypted using ISO 9564 Format 0 PIN block with AES encryption and then Base64 encoded before sending.
All fields (entityId, pin, kitNo, expiryDate, dob) are explicitly validated by the backend. Missing any field returns a specific error code.
PIN Block Creation Process - Step 1: Take the 4-digit clear PIN. Step 2: Create an ISO 9564 Format 0 PIN block by XOR-ing the plain text PIN field with the account number field (both are 16 four-bit nibbles / 64 bits). Step 3: Encrypt the PIN block using AES with the pre-shared key provided by M2P. Step 4: Base64 encode the encrypted result. Step 5: Send the encoded value in the pin field.
Plain Text PIN Field Format - Nibble 1 is 0 (format identifier). Nibble 2 is N (PIN length, typically 4). Nibbles 3 to N+2 are the PIN digits. Nibbles N+3 to 16 are filled with F (hex). Example for PIN 1234: 0 4 1 2 3 4 F F F F F F F F F F
Account Number Field Format - Nibbles 1-4 are 0000. Nibbles 5-16 are the rightmost 12 digits of the PAN (excluding check digit).
Kit Number Padding - The kit number must be exactly 16 digits for PIN block generation. If shorter, prepend zeros. For example, a 9-digit kit 130005054 becomes 0000000130005054.
The PIN can be changed by calling this API again with the new encrypted PIN. The DOB must match the specialDate from the original registration. The expiryDate must be in MMYY format.
Authorization
BearerAuth TenantHeader JWT Bearer token obtained from the /auth/login endpoint
In: header
Tenant identifier provided by M2P (e.g. ENBDTABBY)
In: header
Request Body
application/json
Customer ID. Mandatory - validated with specific error code if missing.
length <= 504-digit PIN encrypted as ISO 9564 Format 0 PIN block, AES encrypted, and Base64 encoded. Never send cleartext PIN.
length <= 100Kit number. Must be exactly 16 digits (pad with leading zeros if shorter). Mandatory.
length <= 16Card expiry date in MMYY format (e.g. 1021 for October 2021). Mandatory.
length <= 4Date of birth in DDMMYYYY format (e.g. 09031993 for March 9, 1993). Must match the specialDate from registration. Mandatory.
length <= 8Proxy number. Optional.
length <= 20Dynamic PIN flag. Optional.
Response Body
application/json
application/json
curl -X POST "https://api.m2p.com/Yappay/business-entity-manager/setPin" \ -H "Content-Type: application/json" \ -d '{ "entityId": "MyCust001", "pin": "JtJqooZO0O4AL1syevMHR+CeRxOcQr59+7A/1AgWTFIQ=", "kitNo": "000000000001", "expiryDate": "1021", "dob": "09031993" }'{
"result": {
"status": true
},
"exception": null,
"pagination": null
}{
"result": null,
"exception": {
"detailMessage": "Customer Id should not be empty",
"shortMessage": "Empty EntityId",
"errorCode": "Y1001",
"languageCode": "en"
},
"pagination": null
}Validate a one-time password POST
Validate an OTP received by the customer. The purpose field must match the purpose used when generating the OTP. OTPs have a limited validity period (typically 5 minutes). Expired OTPs return error code Y101. Incorrect OTPs return error code Y103. After 3 failed attempts, the OTP is invalidated and a new one must be generated.
Get encrypted card data for digital wallet provisioning POST
Retrieve encrypted card details (account number, expiration, billing address) for secure card provisioning into digital wallets such as Apple Pay and Google Pay. Important - This endpoint does NOT use the /Yappay/ prefix. The full path is /provision/v1/encryptedCardData. The signedNonce is a one-time use security token. The response contains encrypted card data suitable for passing to wallet SDKs for in-app provisioning. The billing address in the response is populated from the customer registration address on file. If an address is provided in the request, it overrides the address on file. Ensure PCI DSS compliant handling of all encrypted card data in the response.