Overview
ThecollectPAN() method securely collects credit card details from users through an isolated iframe. The card data is tokenized via Prava’s PCI DSS vault and returns only safe metadata — your servers never see the raw PAN.
Method Signature
Parameters
Configuration options for card collection
Return Value
The
enrollmentId identifies the collected card on the server side. Use your backend and the
API Reference to read payment results and report status for that card.Example
Flow Diagram
Under the Hood
When you callcollectPAN(), here’s what happens:
1
Iframe Injection
The SDK injects a secure, sandboxed iframe into your specified container. The iframe is served from Prava’s domain — card data never touches your DOM or servers.
2
Session Validation
The iframe validates the session token with Prava’s backend to ensure the request is legitimate and not expired.
3
User Input
The user enters their card details (number, expiry, CVV) in the iframe form with real-time validation.
4
PCI DSS Vaulting
When the user submits, the iframe tokenizes the PAN via Prava’s PCI DSS vault. Your servers never see the raw card number.
5
Result
The enrollment result (with
enrollmentId, last4, brand, expMonth, expYear) is returned to your app.Validation States
TheonChange callback receives a CardValidationState object on every keystroke:
isComplete to enable/disable your submit button:
Error Handling
Common Errors
Security Notes
PostMessage communication is origin-locked. The iframe resolves its backend from its own hostname — merchants cannot inject a fake backend URL.
Next Steps
List Cards (API)
Retrieve a customer’s enrolled cards server-side
Get Payment Result
Read the outcome after the card is collected