Overview: Embedded Scope

Introduction

This scope gives you the possibility to manage cards and card transactions. More specifically, the following capabilities are included:

• Read basic information about the organization (full legal name and status)
• Read cardholder data (title, name, email address, mobile number, status)
• Register new cardholders (Note: email and mobile number must have been confirmed)
• Update cardholder data (Note: change of email and mobile number must have been confirmed with MFA)
• Deactivate cardholders (active cards will be automatically terminated)
• Read and receive updates about basic card data (including read spending and limit data)
• Request new cards for cardholders
• Request card limit changes
• Update card label
• Lock and unlock card
• Terminate card
• View PIN of physical card
• View PAN & CVV of card
• Read card history
• Read and receive updates about transaction data, add comments
• Read and receive updates about bill payment data

As this is the most advanced and extensive scope, which includes all the functionalities also included in the synced scope, but extends it for all required functionalities to fully manage cards and card transactions from a cardholder perspective on the partner app side. Thus you are able to:

• Issue cards
• Change card limits
• Approve card requests
• Reject card requests
• Credit card statements
• Access credit card statement details

👍

Is this the right scope for me?

This scope is relevant for partners for that:

• want to launch their own, fully-fledged credit card programme without any frontend provided by us
• aim for having a long-term partnership with us

📘

Credit Card Statements

Credit card statements are basically the monthly credit card bills we generate with some master data (billing period, opening and closing balances, total transactions amount, total payment amount ...). We do offer PDF files (DE & EN) but provide the raw data as well (so you could use your own corporate identity).

Important Remarks

In this use case, the cardholder does not get access to the Pliant cardholder app any more, i.e. the user is registered directly on the Pliant platform via the partner app and does not get any login data for the Pliant app at all. All cardholder and card-related functionality will be fully provided by the partner app.

In addition to the partner app, the customer organization will use a Pliant admin app which is limited to functionalities regarding managing cards, viewing transactions (no receipt tracking and/or accounting features) and paying bills.

Users with admin roles will have to register separately for the Pliant admin app. If those admin users are also cardholders, instead of switching to the Pliant cardholder app, they will have the possibility to switch to the partner app with the embedded wallet functionality (later potentially with SSO capabilities).

Cardholders cannot be invited through the Pliant admin app, but only through the partner app. Therefore, it is recommended that for organizations that are using the embedded wallet functionalities, the partner app registers all users automatically with Pliant once they are registered in the partner app as well. That way, the customer organization's admin users can freely choose to which users they want to issue cards without having to take some extra step to separately register such users in the Pliant app via the partner app.

❗️

Security & Compliance

With the embedded scope, the partner app handles all interactions with the cardholder user like retrieving card security details (PAN, CVV, and PIN for physical cards). Therefore, it is required that the partner’s app has appropriate security measures installed. The card details must only be made accessible by a user after having logged in using a PSD2-compliant MFA method. An MFA method must also be applied if security-related cardholder details are updated.

In most cases, the sensitive card details like PAN and CVV are handled via an dedicated web widget, which removes the necessity for a PCI-DSS compliance audit of the partner.

However, if the partner aims to automatically process sensitive card data, then PCI-DSS compliance is a topic to talk about. Please contact us for further information.