Real-Time Account Updater

Last updated: July 9, 2025

The Real-Time Account Updater service automatically updates payment card details when they change, resulting in an increased payment acceptance rate.

Information

To enable Real-Time Account Updater, contact your account manager or request support.

If your level of Payment Card Industry (PCI) compliance is SAQ D, you can also request to receive encrypted full primary account numbers (FPANs).

You can enable the following services individually with the Real-Time Account Updater:

Card scheme	Service	Description
Mastercard	Store & Update	Updates details of cards stored in the Vault independently of the payment flow. All stored cards are eligible for updates, regardless of usage.
Mastercard	Update & Retry	Updates details of cards during the payment authorization stage. Only active cards experiencing specific decline codes are eligible for updates. Available for payments requested using a payment instrument or full card details.
Visa	Account Updater

Card scheme

Service

Description

Mastercard

Store & Update

Updates details of cards stored in the Vault independently of the payment flow.

All stored cards are eligible for updates, regardless of usage.

Mastercard

Update & Retry

Updates details of cards during the payment authorization stage.

Only active cards experiencing specific decline codes are eligible for updates.

Available for payments requested using a payment instrument or full card details.

Visa

Account Updater

Information

Mastercard Update & Retry immediately retries payment authorization with the updated card details.

To be eligible to receive a card update, payments that trigger the Real-Time Account Updater during the authorization stage must be:

Either a merchant-initiated transaction (MIT) or a card-on-file cardholder-initiated transaction (CIT)
Requested using a payment instrument or full card details – Payments with network tokens do not trigger an update
For an amount greater than zero – Card verifications do not trigger an update

When you call the Request a payment or Get payment details endpoints, the response returns an account_update_status field which specifies the outcome of the update:

card_closed – The issuer closed the account and has not opened a new one – Contact the cardholder and request alternative card details
card_expiry_updated – The card expiry date was updated
card_updated – The card number was updated
contact_cardholder – The card details changed but the cardholder opted out of the Account Updater service via the issuer – Contact the cardholder and request alternative card details
update_failed – The card update failed – For more details, see the account_update_failure_code field

If the update is successful, the response also returns the updated card details in the following source fields:

bin
expiry_month
expiry_year
fingerprint
last4

Information

If a Visa card update fails, you receive an account_update_failure_code which provides the failure reason as a Real-Time Account Updater response code.


1{
2  "id": "pay_mbabizu24mvu3mela5njyhpit4",
3  "action_id": "act_mbabizu24mvu3mela5njyhpit4",
4  "amount": 6540,
5  "currency": "USD",
6  "approved": true,
7  "status": "Authorized",
8  "response_code": "10000",
9  "source": {
10    "id": "src_nwd3m4in3hkuddfpjsaevunhdy",
11    "last4": "4242",
12    "fingerprint": "F31828E2BDABAE63EB694903825CDD36041CC6ED461440B81415895855502832",
13    "bin": "424242",
14    "expiry_month": 10,
15    "expiry_year": 2027
16  },
17  "processed_on": "2019-09-10T10:11:12Z",
18  "_links": {
19    "self": {
20      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4"
21    },
22    "action": {
23      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4/actions"
24    }
25  }
26}

If you've configured your webhook receiver, you'll also receive the updated card details and outcome via the payment approved or payment declined webhooks.

Information

You can generate a Real Time Account Updater Report to see a comprehensive history of all card updates made by the Real-Time Account Updater service during the selected timeframe.

Subscribe to the card updated webhook to receive the original and updated card details when an update triggers. The webhook provides the card details in the original_card and replacement_card objects.

You also receive a reason_type field, which specifies the outcome of the update:

card_closed – The issuer closed the account and has not opened a new one – Contact the cardholder and request alternative card details
card_expiry_updated – The card expiry date changed
card_updated – The card number changed
contact_cardholder – The card details changed but the cardholder opted out of the Account Updater service via the issuer – Contact the cardholder and request alternative card details
update_failed – The card update failed – For more details, see the account_update_failure_code field

Information

To enable FPANs for card updates, contact your account manager or request support.

If your PCI compliance level is SAQ D, you receive the card's FPAN when an update triggers.

You must securely provide Checkout.com with a public key that we will use to encrypt the FPAN.

Generate an RSA public/private key pair. The RSA key pair must use a key size of at least 2048 bits.
We recommend that you generate the RSA keys using an appropriate hardware security module (HSM) and store them using strong encryption with appropriate access control and auditing. Cloud service providers such as AWS KMS, Azure Key Vault, and Google Cloud KMS provide the ability to generate or store key pairs if you do not have an existing system in place.
Record the key fingerprint.
This will be the base64-encoded SHA-256 digest of the DER-encoded X.509 format of the certificate (generated based on RFC 7515: JSON Web Signature (JWS)) and supplied as a header in the JWE response to indicate which key has been used.
Send the public key to your account manager or request support.
We will only use a public key for a maximum of one year. You must provide Checkout.com with a new key at least once per year.

Information

You are responsible for the creation, protection, and rotation of any encryption keys you use for the Real-Time Account Updater. You must appoint a key custodian and formally acknowledge this responsibility in writing or electronically in accordance with PCI DSS Requirement 3.6.8.

When you call the Request a payment endpoint, you receive the encrypted updated FPAN in the source.encrypted_card_number field. If you receive the encrypted_card_number, the response does not return the bin or last4.


1{
2  "id": "pay_mbabizu24mvu3mela5njyhpit4",
3  "action_id": "act_mbabizu24mvu3mela5njyhpit4",
4  "amount": 6540,
5  "currency": "USD",
6  "approved": true,
7  "status": "Authorized",
8  "response_code": "10000",
9  "source": {
10    "type": "card",
11    "fingerprint": "F31828E2BDABAE63EB694903825CDD36041CC6ED461440B814…",
12    "expiry_month": 10,
13    "expiry_year": 2027,
14    "encrypted_card_number": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz…"
15  },
16  "processed_on": "2019-09-10T10:11:12Z",
17  "_links": {
18    "self": {
19      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4"
20    },
21    "action": {
22      "href": "https://api.sandbox.checkout.com/payments/pay_mbabizu24mvu3mela5njyhpit4/actions"
23    }
24  }
25}

The value returned in the source.encrypted_card_number field is the card number, encrypted using the RSA public key you provided. The encryption uses JWE with a 256 GCM-encrypted payload and is key-encrypted using RSA OAEP 256.

Many language frameworks include support for JOSE (JavaScript Object Signing and Encryption). The following Node.js example demonstrates how to programmatically decrypt the card number and verify the fingerprint of the RSA public key:


1import fs from "fs/promises";
2import jose from "node-jose";
3import sshpk from "sshpk";
4
5async function decrypt(privateKeyFile: string, payload: string) {
6  try {
7    // Read private key file
8    const keyBytes = await fs.readFile(privateKeyFile);
9
10    // Parse private key
11    const privateKey = sshpk.parsePrivateKey(keyBytes, "pem");
12
13    // Convert private key to JWK format
14    const key = jose.JWK.asKey(privateKey.toBuffer("pkcs8"), "pem");
15
16    // Decrypt payload
17    const decrypted = await jose.JWE.createDecrypt(key).decrypt(payload);
18    const header = decrypted.header as Record<string, string>;
19
20    // Calculate expected fingerprint
21    const fingerprintBuffer = privateKey.fingerprint("sha256", "spki");
22    const expectedFingerprint = fingerprintBuffer.toString("base64");
23
24    // Log decrypted information
25    console.log({
26      card_id: header["kid"],
27      card_fingerprint: header["x5t#S256"],
28      card_number: decrypted.plaintext.toString(),
29      expected_fingerprint: expectedFingerprint,
30    });
31  } catch (error) {
32    console.error("Error during decryption:", error);
33  }
34}

By default, the Real-Time Account Updater triggers automatically on all eligible payments.

If you do not want a payment to trigger the Real-Time Account Updater, call the Request a payment endpoint and set source.allow_update field to false.

post

https://api.checkout.com/payments


1{
2  "source": {
3    "type": "id",
4    "id": "src_wmlfc3zyhqzehihu7giusaaawu",
5    "allow_update": false
6  },
7  "amount": 6500,
8  "currency": "USD",
9  "reference": "ORD-5023-4E89"
10}


1{
2  "id": "pay_mbabizu24mvu3mela5njyhpit4",
3  "amount": 6500,
4  "currency": "USD",
5  "approved": true,
6  "status": "Authorized",
7  "auth_code": "770687",
8  "response_code": "10000",
9  "response_summary": "Approved",
10  "source": {
11    "type": "id",
12    "id": "src_wmlfc3zyhqzehihu7giusaaawu"
13  }
14}

Real-Time Account Updater

Information

Information

Retrieve updated card details

Information

Response example

Information

Compare updated card details

Retrieve FPAN in card updates

Information

Generate keys

Information

Retrieve the FPAN from the response

Response example

Decrypt the FPAN

Example

Decline updates for a payment

Request example

Response example