[FEATURE] Blocklist

[prajjwalkumar17]

PARENT ISSUE FOR BLOCKLIST

Feature Description

This feature will allow the merchants to block the following according to their needs:

  1. card_numbers
  2. card_isins
  3. extended_bins

What is Blocklist?
A blocklist in the context of payment processing refers to a security feature that allows merchants to restrict specific fingerprints associated with payment methods or block certain card bins. A fingerprint is a unique identifier linked to a particular payment method, and a card bin encompasses the first six digits of a credit card number, with an extended card bin covering the first eight digits.
Merchants can utilize the blocklist functionality to enhance security and control over their payment processing systems. This capability enables them to thwart transactions from identified problematic sources or potentially fraudulent payment methods. Here's how the blocklist feature works:

Blocking Specific Fingerprints:
Merchants can identify and block specific fingerprints associated with payment methods. This is particularly useful in preventing transactions from certain payment instruments (card in our case) that may have a history of suspicious activity.

Blocking Card Bins:
The blocklist also allows merchants to block entire card bins, focusing on the first six digits of credit card numbers. Additionally, they can extend this restriction to cover the first eight digits(extended_card_bin), providing a more comprehensive control mechanism.

Listing Blocklists:
To manage and monitor these security measures, merchants have the option to list their specified blocklists. They can categorize these blocklists based on the type of restriction, such as payment method, card bin, or extended card bin.

Specifying Blocklist Types:
Merchants can define the type of blocklist they want to view, allowing for a granular understanding of the restrictions in place. This categorization may include payment method blocklists, card bin blocklists, or extended card bin blocklists.

Unblocking:
Should the need arise, merchants can selectively unblock specific fingerprints, payment methods, or card bins from the blocklist. This flexibility ensures that legitimate transactions are not inadvertently hindered by the security measures in place.

In summary, a blocklist feature empowers merchants to proactively manage the security of their payment processing systems by blocking specific fingerprints, card bins, or extended card bins. This not only safeguards against potential fraud but also provides a customizable and flexible approach to control and monitor payment transactions effectively.

Testing

Refer to the attached postman collection for the API contracts for the blocklist APIs. Currently we support blocking three types of resources i.e. card numbers (payment intrument), card bin, and extended card bin.
blocklist_api_postman.zip

For Card Bin and Extended Card Bin :-
1. Setup a Merchant Account and any Connector account
2. Make a payment with a certain card (ensure it succeeds)
3. Block the card's card bin or extended card bin
4. Try the payment again (should fail this time with an API response saying that the payment was blocked)

For Payment Instrument :-
1. Repeat steps 1 and 2 of previous section
2. In the payment confirm response, there will be an additional field called "fingerprint". This is the fingerprint id that can be used to block a particular payment method. Use this to block the card.
3. Try the payment again (should fail)

Sub-Issues

• [FEATURE] Blocklist initial implementation #3439
• [FEATURE] Add KMS encrypt utility #3440
• [DOCS] Add Api-Refrence for Blocklist #3441
• [REFACTOR] Separate utility function to guard_against_blocklist #3442
• [FEATURE]: Api for enable/disable Blocklist guard #3467
• [REFACTOR] Inclusion of kill switch in configs table #3443
• [REFACTOR] Replacement of KMS with AES encryption #3444
• [REFACTOR] Card Fingerprinting + Block List #3546
• [Refactor] Centralisation of locker request encryption/decryption logic #3697