Exporting credit card mandates from Mollie¶
Note
This document is for payment service providers who wish to export a merchant’s credit card mandates from Mollie for migration purposes.
If a merchant wishes to switch to a different payment service provider, the merchant can export a list of their credit card mandates from the Mollie Dashboard. This way, existing mandates can be transferred to the new payment service provider.
You must provide the merchant with your public PGP key, to which the export should be encrypted.
The merchant must contact Mollie to enable the functionality to export the mandates.
Then, the merchant can upload your public PGP key in the Mollie Dashboard and export the mandates from there. Additionally, the merchant must download the public key of Mollie that is used for signing the export.
The merchant will thus provide you with:
- A csv file containing the export, encrypted to your PGP public key, and signed by Mollie’s PGP key.
- A unique public key generated by Mollie that is used for signing the encrypted file.
Steps to extract the mandate export¶
Warning
Note that the decrypted export contains Card Holder Data as defined under PCI-DSS. Make sure the decryption is only performed in compliant environments.
We recommend using GnuPG for decryption and signature verification.
First, put the export file, your private key and Mollie’s public key in a dedicated folder, e.g. ~/mollie-export.
1 2 3 4 | $ ls -ls 8 -rw-r--r--@ 1 user staff 3431 Apr 21 16:07 competitor-private.gpg 8 -rw-r--r--@ 1 user staff 1578 Apr 21 16:08 export.gpg 8 -rw-r--r--@ 1 user staff 3904 Apr 21 16:08 mollie-public.gpg |
Initialize a GnuPG keybox in the current folder and import the required keys. You may be prompted for your passphrase.
1 2 3 4 5 6 7 8 9 10 11 | $ gpg --homedir . --import competitor-private.gpg mollie-public.gpg gpg: keybox '~/mollie-export/exports/pubring.kbx' created gpg: ~/mollie-export/exports/trustdb.gpg: trustdb created gpg: key 63334E285D901170: public key "Competitor Private Key <imports@competitor.com>" imported gpg: key 63334E285D901170: secret key imported gpg: key D6051B52CD370E56: public key "Mollie Import 2853921 <merchant-2853921-20200421-155329@mollie.com>" imported gpg: Total number processed: 2 gpg: imported: 2 gpg: secret keys read: 1 gpg: secret keys imported: 1 |
Then, instruct GnuPG to decrypt the message:
1 2 3 | gpg --homedir . --output decrypted.gpg --decrypt export.gpg gpg: encrypted with 2048-bit RSA key, ID A2EB785078DB5DA8, created 2020-04-21 "Competitor Private Key <imports@competitor.com>" |
Finally, verify the signature of the decrypted export using Mollie’s public key.
The key is not signed by Mollie by default. If you would like the key to be signed, contact security@mollie.com and we will confirm the authenticity of the public key and return you a signed version of the key.
1 2 3 4 5 6 7 8 | $ gpg --homedir . --output verified.csv --verify decrypted.gpg gpg: Signature made Tue Apr 21 15:56:37 2020 CEST gpg: using RSA key 09055A078D6B55BA gpg: Good signature from "Mollie Import 2853921 <merchant-2853921-20200421-155329@mollie.com>" [unknown] gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 4B7B DEE3 E2EF DF20 C21F A316 D605 1B52 CD37 0E56 Subkey fingerprint: E67B 54E3 8423 B30E 77FD F82F 0905 5A07 8D6B 55BA |
You can find the decrypted credit card mandate export in verified.csv.
Export file format¶
The exported mandates file will be formatted as a comma separated file with the following columns:
1 2 | old_customer_id,card_number,card_exp_month,card_exp_year,transaction_id,name mdt_123456,4242424242424242,12,2023,987654321234567,"John Doe" |
Note
transaction_id refers to the scheme transaction ID of the initial transaction that authorized the
recurring payments.
card_exp_month refers to the month number without a leading zero. For example, 1 for January.
card_exp_year refers to the year in the yyyy format. For example, 2000 for the start of the millennium.