Security Model at a Glance

This section provides a high-level view of the trust model and security artifacts used in Samsung Wallet Cards integrations.

Samsung Wallet Cards security is based on:

Certificate-based trust established during onboarding (CSR-based).
Signed JWT (JWS) for REST API authorization and request binding.
JWS-wrapped JWE for confidential transport of card/authentication payloads (cdata).
Reference identifiers (refId / pdata) for indirection-based flows (Data Fetch Link).

Actors and Trust Anchors

This subsection defines the participating systems and the trust anchors used to establish and validate secure communication.

Actors

Partner Portal: Used by partners to configure service settings and register certificate-related onboarding information.
Partner Server (Backend): Generates security tokens (Authorization Token, cdata), exposes Partner APIs (e.g., Get Card Data), and receives callbacks/events.
Samsung Wallet Server (Backend): Validates partner-issued tokens, processes encrypted payloads, calls Partner APIs, and exposes Samsung Server APIs.
Client (Samsung Wallet App / Web JS): Initiates ATW/VWW flows carrying either cdata or pdata.

Trust Anchors

Partner Private Key: Used by the partner to sign JWS and (where applicable) to support encryption workflows.
Onboarding certificate artifacts: A certificate identifier (certificateId) and partner identifier (partnerId) are used to reference onboarding artifacts in tokens and selected API flows.

Security Artifacts and Where They Apply

This subsection summarizes the primary security artifacts and the interfaces where they are used.

Artifact	Purpose	Where used
Authorization Token (JWT / JWS)	REST API authorization + request binding	REST API calls (both Samsung↔Partner directions) include Authorization header.
Card Data Token (cdata) (JWS-wrapped JWE)	Confidential + integrity-protected card payload transport	ATW/VWW Data Transmit Link and web/app button flows.
Reference ID (refId / pdata)	Indirection identifier for Data Fetch Link	Data Fetch Link uses pdata(refId) and requires high-entropy/unpredictable generation.

Essential Cookies

These cookies are essential as they enable you to move around the website. This category cannot be disabled.

Analytical/Performance Cookies

These cookies collect information about how you use our website. for example which pages you visit most often. All information these cookies collect is used to improve how the website works.

Functionality Cookies

These cookies allow our website to remember choices you make (such as your user name, language or the region your are in) and tailor the website to provide enhanced features and content for you.