Skip to main content

Overview

The collectPAN() method securely collects credit card details from users through an isolated iframe. The card data is tokenized via Prava’s PCI DSS vault and returns only safe metadata — your servers never see the raw PAN.

Method Signature

Parameters

options
CollectPANOptions
required
Configuration options for card collection

Return Value

result
CollectPANResult
The enrollmentId identifies the collected card on the server side. Use your backend and the API Reference to read payment results and report status for that card.

Example

Flow Diagram

Under the Hood

When you call collectPAN(), here’s what happens:
1

Iframe Injection

The SDK injects a secure, sandboxed iframe into your specified container. The iframe is served from Prava’s domain — card data never touches your DOM or servers.
2

Session Validation

The iframe validates the session token with Prava’s backend to ensure the request is legitimate and not expired.
3

User Input

The user enters their card details (number, expiry, CVV) in the iframe form with real-time validation.
4

PCI DSS Vaulting

When the user submits, the iframe tokenizes the PAN via Prava’s PCI DSS vault. Your servers never see the raw card number.
5

Result

The enrollment result (with enrollmentId, last4, brand, expMonth, expYear) is returned to your app.

Validation States

The onChange callback receives a CardValidationState object on every keystroke:
Use isComplete to enable/disable your submit button:

Error Handling

Common Errors

Security Notes

Never attempt to bypass the iframe or collect card data directly. The iframe is sandboxed with allow-scripts allow-same-origin allow-forms allow-popups allow-popups-to-escape-sandbox and a permissions policy of payment; publickey-credentials-get; publickey-credentials-create. Card data never touches your DOM, JS, or servers.
PostMessage communication is origin-locked. The iframe resolves its backend from its own hostname — merchants cannot inject a fake backend URL.

Next Steps

List Cards (API)

Retrieve a customer’s enrolled cards server-side

Get Payment Result

Read the outcome after the card is collected