Skip to main content

Overview

Card fingerprinting generates a unique, deterministic identifier for each physical card used in your system. This fingerprint remains consistent across transactions, allowing you to identify when the same card is used multiple times — without storing or exposing the actual card number. Card fingerprints are essential for fraud detection, loyalty programs, and analytics.

How It Works

When a card is used in a transaction or stored in Yuno’s vault, a card fingerprint is generated using a one-way hash of the card’s PAN and other identifying attributes. The same card always produces the same fingerprint, regardless of which merchant or transaction it is used with. 
Card PAN: 4242 4242 4242 4242

    └── Hash function ──> Fingerprint: "fp_a1b2c3d4e5f6g7h8"
Card fingerprints are irreversible. You cannot derive the card number from a fingerprint. This makes fingerprints safe to store and use in your application without PCI compliance concerns.

Fingerprint in API Responses

Card fingerprints are automatically included in payment and tokenization responses: 
{
  "id": "pay_abc123",
  "status": "APPROVED",
  "payment_method": {
    "type": "CARD",
    "card": {
      "last_four": "4242",
      "brand": "VISA",
      "fingerprint": "fp_a1b2c3d4e5f6g7h8"
    }
  }
}

Use Cases

Use CaseHow Fingerprint Helps
Fraud detectionDetect the same card used across multiple accounts
Duplicate preventionPrevent the same card from being enrolled twice
Loyalty programsTrack rewards across transactions for the same card
Velocity checksCount transactions per unique card within a time window
AnalyticsUnderstand unique card usage patterns
Account linkingIdentify when multiple accounts share a payment method

Fraud Detection Example

Detect if a single card is being used across multiple customer accounts: 
// When a payment is processed, check the fingerprint
const fingerprint = paymentResponse.payment_method.card.fingerprint;

// Query your database for other accounts using this fingerprint
const existingAccounts = await db.query(
  "SELECT customer_id FROM payment_methods WHERE fingerprint = ? AND customer_id != ?",
  [fingerprint, currentCustomerId]
);

if (existingAccounts.length > 0) {
  // Flag for review: same card used across multiple accounts
  await flagForReview({
    reason: "SHARED_CARD",
    fingerprint: fingerprint,
    accounts: existingAccounts
  });
}

Velocity Check Example

Limit the number of transactions from a single card within a time window: 
const fingerprint = paymentRequest.card.fingerprint;
const oneHourAgo = new Date(Date.now() - 3600000);

const recentTransactions = await db.query(
  "SELECT COUNT(*) as count FROM transactions WHERE fingerprint = ? AND created_at > ?",
  [fingerprint, oneHourAgo]
);

if (recentTransactions.count >= 5) {
  // Block: too many transactions from this card in 1 hour
  throw new Error("VELOCITY_LIMIT_EXCEEDED");
}
Card fingerprints are consistent within the Yuno ecosystem but may differ from fingerprints generated by other payment processors. Do not compare Yuno fingerprints with those from external systems.

Fingerprint Properties

PropertyValue
FormatString (alphanumeric, prefixed with fp_)
UniquenessOne fingerprint per unique physical card
DeterministicSame card always produces the same fingerprint
ReversibleNo — cannot derive card number from fingerprint
Cross-merchantSame fingerprint across all merchants on Yuno
PCI sensitiveNo — safe to store in your database
A card fingerprint is tied to the physical card PAN, not the cardholder. If a card is reissued with a new number, it will generate a different fingerprint. Use Network Tokens to maintain continuity across card reissuances.

Best Practices

  • Store fingerprints: Save fingerprints in your database alongside transaction records for analysis.
  • Index for queries: Create database indexes on the fingerprint column for fast lookups.
  • Combine with device data: Use fingerprints alongside device fingerprinting for stronger fraud detection.
  • Respect privacy: While fingerprints are not PCI-sensitive, they are still personal data. Handle according to your privacy policy.