# Security Overview and Encryption
source: https://developer.mastercard.com/mdes-pre-digitization/documentation/api-basics/security_encryption/index.md
All communication between the MDES Pre-Digitization APIs and the Issuer's servers are secured using mutually authenticated TLS. In addition, all PCI sensitive data (such as PAN) and all Account holder's personally identifiable information (PII, such as PAR) are encrypted for transport using a separate key. In some cases, the encrypted data may contain an additional timestamp to specify the encrypted data validity period. This prevents the same encrypted data from being replayed after the validity period expires.
All keys exchanges comply with the Mastercard Public Key Infrastructure policy.
Note: Keys are subject to renewal according to Mastercard policy.
Two security layers are used for the protection of sensitive PCI/PII information as follows:
1. Communication between MDES Pre-Digitization API and Issuer web service is secured using mutually authenticated TLS.
2. The PCI/PII sensitive data is encrypted using a single use encryption key *(SK)* , which is transported in a digital envelope *encryptedKey* within the TLS tunnel.
The digital envelope is created with receiver's Encryption Public Key as summarized in the following table:
| API | Encryption Public Key | Sender | Receiver | Payload | Encrypted payload |
|---------------------------------------|----------------------------------|---------------------------|---------------------------|------------------------------|--------------------|
| RAM\* API request, AS\*\* API request | Issuer Encryption Public Key | MDES Pre-Digitization API | Issuer web service | fundingAccountData | fundingAccountInfo |
| NSA\*\*\* API request | Issuer Encryption Public Key | MDES Pre-Digitization API | Issuer web service | fundingAccountData | fundingAccountInfo |
| GAI\*\*\*\* API request | Issuer Encryption Public Key | MDES Pre-Digitization API | Issuer web service | fundingAccountData | fundingAccountInfo |
| AS\*\* API response | Mastercard Encryption Public Key | Issuer web service | MDES Pre-Digitization API | AuthorizeServiceResponseData | encryptedPayload |
| GAI\*\*\*\* API response | Mastercard Encryption Public Key | Issuer web service | MDES Pre-Digitization API | AccountInformationData | encryptedPayload |
| NTU\*\*\*\*\* API Request | Issuer Encryption Public Key | MDES Pre-Digitization API | Issuer web service | fundingAccountData | fundingAccountInfo |
RAM\* - requestActivationMethods,
AS\*\* - authorizeService
NSA\*\*\* - notifyServiceActivated
GAI\*\*\*\* - getAccountInformation
NTU\*\*\*\*\* - notifyTokenUpdated
An overview of the PCI/PII payload bulk data encryption process is provided in the figure below.
SK is generated by a strong pseudorandom number generator built into the HSM. SK is wrapped with the receiver's Encryption Public Key, in an RSA digital envelope computed using PKCS#11's C_WrapKey method (section 11.14), which is defined on page 178 of the [PKCS#11 v2.20 standard](https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-20.pdf).
The Issuer acting either as a receiver of API encrypted payloads (in RAM API request, NSA API Request, and AS API request) or as a sender of API encrypted payloads (in AS API response) must support two unwrapping/wrapping mechanisms for both wrapping SK in the encryptedKey (when MDES Pre-Digitization API is sender and Issuer web service is the receiver) and for unwrapping the encryptedKey to recover SK (when Issuer web service is sender and MDES Pre-Digitization API is receiver):
| During the onboarding procedure, when "oaepHashingAlgorithm" parameter is set to.. | Then MDES uses ... |
|------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| NONE | the PKCS#1 v1.5 RSA mechanism (section 12.1.6) denoted CKM_RSA_PKCS, defined on page 197 of the [PKCS#11 v2.20 standard](https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-20.pdf) |
| either *SHA-256* or *SHA-512* | the PKCS#1 RSA OAEP mechanism (section 12.1.8) denoted CKM_RSA_PKCS_OAEP, defined on page 200 of the [PKCS#11 v2.20 standard](https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-20.pdf) |
Within the mechanism parameters table CK_RSA_PKCS_OAEP_PARAMS (section 12.1.7) defined on page 200 of the [PKCS#11 v2.20 standard](https://www.cryptsoft.com/pkcs11doc/STANDARD/pkcs-11v2-20.pdf), the following two parameters are considered:
* CK_MECHANISM_TYPE indicates the message digest algorithm used to calculate the digest of the encoding parameter;
* CK_RSA_PKCS_MGF_TYPE indicates the Mask Generation Function (MGF) to use on the encoded block.
When acting as a sender, MDES Pre-Digitization API and Issuer web service fills in these parameters as follows:
| If during the onboarding Issuer has chosen.. | Then sender sets.... |
|----------------------------------------------|-----------------------------------------------------------------------|
| "oaepHashingAlgorithm" = "SHA256" | CK_MECHANISM_TYPE = CKM_SHA256 CK_RSA_PKCS_MGF_TYPE = CKG_MGF1_SHA256 |
| "oaepHashingAlgorithm" = "SHA512" | CK_MECHANISM_TYPE = CKM_SHA512 CK_RSA_PKCS_MGF_TYPE = CKG_MGF1_SHA512 |
The sender exposes:
* The digital envelope containing the one time key SK in encryptedKey.
* The bulk encrypted data encryptedData containing the sensitive data.
* The hashing algorithm used by the OAEP scheme, when chosen - oaepHashingAlgorithm.
* The public key fingerprint publicKeyFingerprint of the receiver Encryption Public Key used by the encryption scheme for the computation of the digital envelope.
* The initialization vector (iv) for the bulk encryption with AES in CBC block cipher mode.
Tip: Do you want to learn more about the authentication and encryption schemes Mastercard uses? For that, read our [Securing Sensitive Data Using Payload Encryption](https://developer.mastercard.com/platform/documentation/security-and-authentication/securing-sensitive-data-using-payload-encryption/).