Encrypting Account Data
In accordance with security best practices, the /transfer-to/bills/initiate endpoint used to initiate RPPS bill payments requires that sensitive account numbers be encrypted.
Included below is a code snippet that performs the encryption using the node.js crypto module. This example uses the public key method SHA-256. There are many other implementations for other languages and platforms using the Webcrypto library.
The input arguments required by crypto are the user's public key and the account number. The result is an encrypted string with a length of 344 characters.
Make sure to npm install --save crypto fs if you do not have these dependencies already in your project.
The PEM public keys necessary for account number encryption are available through a GET /transfer-to/bills/public-encryption-keys request.
Encryption Example using Privacy Enhanced Mail (PEM) Certificate
const fs = require("fs");
const crypto = require("crypto");
const str = "52187600########"; // billerId 9000005588
const publicKey = fs.readFileSync("public.key", "utf8");
(async () => {
const encoded = Buffer.from(str, "utf-8");
const sendStr = crypto.publicEncrypt({
key: publicKey,
padding: crypto.constants.RSA_PKCS1_OAEP_PADDING,
oaepHash: "sha256"
}, Buffer.from(str))
.toString("base64");
console.log(sendStr);
})();
Encryption Example using JSON Web Key (JWK)
const fs = require("fs");
const crypto = require("crypto").webcrypto;
const str = "52187600########"; //some account number for billerId 9000005588, replace #'s with digits
const jwkPublicKey = fs.readFileSync("./src/encryption/public_primary.jwk");
(async () => {
const encoded = Buffer.from(str, "utf-8");
const publicKey = await crypto.subtle.importKey("jwk", JSON.parse(jwkPublicKey.toString()), {
name: "RSA-OAEP",
hash: "SHA-256"
}, true, ["encrypt", "wrapKey"]);
const mess = await crypto.subtle.encrypt({ name: "RSA-OAEP" }, publicKey, encoded);
const sendStr = Buffer.from(mess).toString("base64");
console.log(sendStr);
})();