Card Activation and Deactivation

Cards

Card Activation and Deactivation

After receiving the credit or debit card, the next step for the cardholder is to activate it. Citibank provides a convenient and hassle-free process to not only activate your card instantly before usage but also to deactivate it in case of theft or loss to prevent any kind of fraudulent activity.

Australia

Hong Kong

India

Indonesia

Malaysia

Philippines

Singapore

Thailand

On-demand card activation

Customers have to activate their card before they can make physical usage like POS, etc.
Zoom In

Secure identification

Customers can log in to Citi securely with their Citi user ID and password. 

 

Refer to the API callout for information on retrieving the authorization code.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Authorization code grant: Retrieve authorization code

This API gets invoked by a web browser redirection and requires user interaction. It is used to retrieve an authorization code by redirecting the user to a login page followed by the consent approval page. At the end of this flow, this endpoint returns to the redirect_uri configured for the associated application.

Endpoint

Australia:  GET /authCode/oauth2/authorize

Hong Kong:  GET /authCode/oauth2/authorize

India:  GET /authCode/oauth2/authorize

Indonesia:  GET /authCode/oauth2/authorize

Malaysia:  GET /authCode/oauth2/authorize

Philippines:  GET /authCode/oauth2/authorize

Singapore:  GET /authCode/oauth2/authorize

Thailand:  GET /authCode/oauth2/authorize

Parameters

PATH

NA

Query

response_type

client_id

scope

countryCode

businessCode

locale

state

redirect_uri

 

Customers validate the one-time password

Customers validate the one-time password sent to their registered mobile number. In three-legged auth flow, one-time password validation is based on a fraud and risk recommendation, but it is not mandatory.
Zoom In

Customer consent

The customers provide their consent to Citi to share data with third parties that they trust by clicking on ‘Authorize’ button. After successful authorization, an access token is issued to the partner.

 

The control goes back to the partner along with Auth Code. The partner will make API callout1 to get the access token. After that, the partner will make API callout2 for retrieving the list of cards.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Authorization code grant: Retrieve access token

Get an access token issued by calling our token endpoint and passing the authorization code from the previous call. The issued access token will expire, and will be valid only for the scope for which the consent has been provided by the customer. You can call the APIs by passing this token in the authorization header.

You also get a refresh token that can be used to get a new access token in case the original one expires.

Endpoint 

Australia: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Hong Kong: POST /authCode/oauth2/token/<countryCode>/<businessCode>

India: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Indonesia: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Malaysia: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Philippines: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Singapore: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Thailand: POST /authCode/oauth2/token/<countryCode>/<businessCode>

Parameters

PATH

countryCode

businessCode

FormData

grant_type

code

redirect_uri

Select the card for activation or deactivation

From the list of available cards, the customers select the card requiring activation or deactivation.

 

There is a variation in API callouts for aggregrators and cobrand partners. Please refer as applicable.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Retrieve all cards - For Aggregator

This API is used to retrieve all the credit card numbers and correponding details of the customers who authorized the application.

Endpoint

Australia: GET /v1/cards

Hong Kong: GET /v1/cards

India : GET /v1/cards

Indonesia: GET /v1/cards

Malaysia: GET /v1/cards

Philippines : GET /v1/cards

Singapore: GET /v1/cards

Thailand : GET /v1/cards

Parameters

PATH

NA

Query

cardFunction

View Api Callout 2 >
×

Use Case Callout

Retrieve all cards - For CoBrand Partners

This API is used to list all the cards held by a customer with Citi partner.

Endpoint

Australia: GET /partner/v1/cards

Hong Kong: GET /partner/v1/cards

India : GET /partner/v1/cards

Indonesia: GET /partner/v1/cards

Malaysia: GET /partner/v1/cards

Philippines: GET /partner/v1/cards

Singapore: GET /partner/v1/cards

Thailand: GET /partner/v1/cards

Parameters

PATH

NA

Query

cardFunction

Customer's card details

Card details for the selected card including card number, current available balance, last transaction and statement balance are displayed. Customers then click on 'Activate Now' button to begin the activation process.
Zoom In

First-time activation of the card

For the first-time activation of their card, customers provide the CVV of their card and click on 'Activate' button. CVV is only required for first-time activation. It is optional.

 

First-time activation is one time activation only.
For GC markets, first-time activation is only for local activation. It doesn't automatically activate the card for overseas usage too.

 

Refer to the API callout for information about card activation.

 

Once the Activate API callout is complete, partner to trigger MFA URL to open the OTP page.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Update local usage activation

Activates or deactivates the specified card's ability to be used locally.

Endpoint

Australia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Hong Kong: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

India: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Indonesia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Malaysia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Philippines: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Singapore: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Thailand: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Parameters

PATH

cardId

cardActivationCode

Body

CardUsageRequest : cvv

Customers validate the one-time password

Customers validate the one-time password sent to their registered mobile number. This password is based on the additional authentication setup by the partner to authorize the transaction. It is a closed loop authorization between partner and Citibank.

 

Refer to the below API callouts:

  • API callout1 for retrieving the public key used for encryption.
  • API callout2 to validate the one time password.
  • API callout3 to re-generate and send the one-time password.
  • API callout4 for card activation confirmation.
Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Retrieve E2E Public Key

This API is used by browser based applications for retrieving the public key used for encryption. It returns the modulus and exponent for setting up a business public key. This is a post login API.

 

Endpoint

Australia: GET /v1/security/e2eKey

Hong Kong: GET /v1/security/e2eKey

India: GET /v1/security/e2eKey

Indonesia: GET /v1/security/e2eKey

Malaysia: GET /v1/security/e2eKey

Philippines: GET /v1/security/e2eKey

Singapore: GET /v1/security/e2eKey

Thailand: GET /v1/security/e2eKey

Parameters

PATH

N/A

Body

N/A

View Api Callout 2 >
×

Use Case Callout

Validate OTP

This API validates the OTP token submitted by customer.

 

Endpoint

Australia: PUT /v1/mfa/otp

Hong Kong: PUT /v1/mfa/otp

India: PUT /v1/mfa/otp

Indonesia: PUT /v1/mfa/otp

Malaysia: PUT /v1/mfa/otp

Philippines: PUT /v1/mfa/otp

Singapore: PUT /v1/mfa/otp

Thailand: PUT /v1/mfa/otp

Parameters

PATH

N/A

Body

ValidateOTPRequest

View Api Callout 3 >
×

Use Case Callout

Generate and Send OTP

This API allows you to generate the one time password and delivers to customer.

 

Endpoint

Australia: POST /v1/mfa/otp

Hong Kong: POST /v1/mfa/otp

India: POST /v1/mfa/otp

Indonesia: POST /v1/mfa/otp

Malaysia: POST /v1/mfa/otp

Philippines: POST /v1/mfa/otp

Singapore: POST /v1/mfa/otp

Thailand: POST /v1/mfa/otp

Parameters

PATH

N/A

Body

GenerateOTPRequest

View Api Callout 4 >
×

Use Case Callout

Confirm Card Activation Deactivation

This API is triggered after initiating the Card activation/de-activation request and completes card activation/de-activation post successful multifactor authentication.

Endpoint

Australia: POST /v1/cards/activations/confirmation

Hong Kong: POST /v1/cards/activations/confirmation

India: POST /v1/cards/activations/confirmation

Indonesia: POST /v1/cards/activations/confirmation

Malaysia: POST /v1/cards/activations/confirmation

Philippines: POST /v1/cards/activations/confirmation

Singapore: POST /v1/cards/activations/confirmation

Thailand: POST /v1/cards/activations/confirmation

Parameters

PATH

NA

Body

CardUsageConfirmationRequest

Enable card for overseas usage

After the first-time card activation, the customers can enable their card for overseas usage by toggling 'Overseas use' button on this screen.

 

Alternatively, once the card is activated locally, the customers can also go to the cards listing screen, select the card which is already activated locally, and then click on 'Activate card for overseas usage' button on the next screen to activate the card for overseas usage.

 

Automatic overseas activation along with local activation during first-time activation is market specific. It is not applicable for GC markets.

For GC markets, overseas activation can happen separately only after local activation is successful as part of first-time activation.

Zoom In

Activate card perpetually for overseas usage

Customers have the option to activate their card either perpetually or for a specific period of time. If they select 'Activate perpetually', then the card becomes activated for an unlimited period of time. Click on 'Activate card for overseas use' button to trigger the overseas usage activation API.

Zoom In

Activate card for overseas usage for a specific date range

Customers can opt to activate their card for overseas usage for a specific duration by selecting the start date and end date. Click on 'Activate card for overseas usage' button to trigger the overseas usage activation API.

Zoom In

Customers activate their card for overseas usage

Customers can either provide their consent for activating their cards for overseas usage by clicking on 'Yes, activate my card' button, or cancel by clicking on 'No, maybe later' button.

 

Refer to the API callout for information about card overseas activation.

 

Once the Overseas Activate API callout is complete, partner to trigger MFA URL to open the OTP page.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Update overseas usage activation

Activates or deactivates a specified card's ability to be used overseas. Cards can be activated for overseas usage permanently or for a set period of time.

Endpoint

Australia: PUT /v1/cards/{cardId}/overseasUsage

Hong Kong: PUT /v1/cards/{cardId}/overseasUsage

India: PUT /v1/cards/{cardId}/overseasUsage

Indonesia: PUT /v1/cards/{cardId}/overseasUsage

Malaysia: PUT /v1/cards/{cardId}/overseasUsage

Philippines: PUT /v1/cards/{cardId}/overseasUsage

Singapore: PUT /v1/cards/{cardId}/overseasUsage

Thailand: PUT /v1/cards/{cardId}/overseasUsage

Parameters

PATH

cardId

Body

overseasCardUsageOption

ActivationRequest : overseasCardActivationStartDate, overseasCardActivationEndDate, perpetualActivationIndicator

Customers validate the one-time password

Customers have to validate the one-time password sent to their registered mobile number.

 

Refer to the below API callout for card overseas activation confirmation.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Confirm Card Overseas Activation Deactivation

This API is triggered after initiating the Card activation/de-activation request and completes card activation/de-activation post successful multifactor authentication.

Endpoint

Australia: POST /v1/cards/overseasUsage/confirmation

Hong Kong: POST /v1/cards/overseasUsage/confirmation

India: POST /v1/cards/overseasUsage/confirmation

Indonesia: POST /v1/cards/overseasUsage/confirmation

Malaysia: POST /v1/cards/overseasUsage/confirmation

Philippines: POST /v1/cards/overseasUsage/confirmation

Singapore: POST /v1/cards/overseasUsage/confirmation

Thailand: POST /v1/cards/overseasUsage/confirmation

Parameters

PATH

NA

Body

CardOverseasUsageConfirmationRequest

Card activation confirmation for overseas usage

Customers receive a notification message after their card is enabled for overseas usage.
Zoom In

Select the card to be locked

Customers have the option to immediately lock their card in case of any theft or mishandling. They can choose the card from a list of available cards and proceed with the locking procedure. Locking a card restricts the physical usage of a card locally as well as overseas. It is a master lock which temporarily locks the card completely.

 

Refer to the below API callout before rendering this screen with the list of available cards.

 

There is a variation in API callouts for aggregrators and cobrand partners. Please refer as applicable.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Retrieve all cards - For Aggregator

This API is used to retrieve all the credit card numbers and correponding details of the customers who authorized the application.

Endpoint

Australia: GET /v1/cards

Hong Kong: GET /v1/cards

India : GET /v1/cards

Indonesia: GET /v1/cards

Malaysia: GET /v1/cards

Philippines : GET /v1/cards

Singapore: GET /v1/cards

Thailand : GET /v1/cards

 

Parameters

PATH

NA

Query

cardFunction

View Api Callout 2 >
×

Use Case Callout

Retrieve all cards - For CoBrand Partners

This API is used to list all the cards held by a customer with Citi partner.

Endpoint

Australia: GET /partner/v1/cards

Hong Kong: GET /partner/v1/cards

India : GET /partner/v1/cards

Indonesia: GET /partner/v1/cards

Malaysia: GET /partner/v1/cards

Philippines: GET /partner/v1/cards

Singapore: GET /partner/v1/cards

Thailand: GET /partner/v1/cards

Parameters

PATH

NA

Query

cardFunction

Customers lock the selected card

Customers can lock the selected card by clicking on 'Lock card' button.

 

'Deactivate card for overseas usage' button will be shown on this screen only when the customer has already activated the card for overseas usage. Otherwise 'Activate card for overseas usage' button will be shown if the card is activated locally only.

Zoom In

Customers confirm card locking

After selecting the option to lock their card, customers need to confirm their action by clicking on 'Yes, lock my card' button.

 

Refer to the API callout for information about card locking.

 

Once the Lock API callout is complete, partner to trigger MFA URL to open the OTP page.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Update local usage activation

Activates or deactivates the specified card's ability to be used locally.

Endpoint

Australia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Hong Kong: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

India: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Indonesia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Malaysia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Philippines: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Singapore: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Thailand: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

 

Parameters

PATH

cardId

cardActivationCode

Body

CardUsageRequest

Customers validate the one-time password

Customers have to validate the one-time password sent to their registered mobile number.

 

 

Refer to the API callout for card locking confirmation.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Confirm Card Activation Deactivation

This API is triggered after initiating the Card activation/de-activation request and completes card activation/de-activation post successful multifactor authentication.

Endpoint

Australia: POST /v1/cards/activations/confirmation

Hong Kong: POST /v1/cards/activations/confirmation

India: POST /v1/cards/activations/confirmation

Indonesia: POST /v1/cards/activations/confirmation

Malaysia: POST /v1/cards/activations/confirmation

Philippines: POST /v1/cards/activations/confirmation

Singapore: POST /v1/cards/activations/confirmation

Thailand: POST /v1/cards/activations/confirmation

 

Parameters

PATH

NA

Body

CardUsageConfirmationRequest

Confirmation of card locking

Customers receive a notification message after their card is temporarily locked for local and overseas usage.
Zoom In

Select the card to be unlocked

Customers can unlock their card by selecting it from a list of available cards and proceed with the unlocking procedure.

 

Refer to the below API callout before rendering this screen with the list of available cards.

 

There is a variation in API callouts for aggregrators and cobrand partners. Please refer as applicable.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Retrieve all cards - For Aggregator

This API is used to retrieve all the credit card numbers and correponding details of the customers who authorized the application.

Endpoint

Australia: GET /v1/cards

Hong Kong: GET /v1/cards

India : GET /v1/cards

Indonesia: GET /v1/cards

Malaysia: GET /v1/cards

Philippines : GET /v1/cards

Singapore: GET /v1/cards

Thailand : GET /v1/cards

Parameters

PATH

NA

Query

cardFunction

View Api Callout 2 >
×

Use Case Callout

Retrieve all cards - For CoBrand Partners

This API is used to list all the cards held by a customer with Citi partner.

Endpoint

Australia: GET /partner/v1/cards

Hong Kong: GET /partner/v1/cards

India : GET /partner/v1/cards

Indonesia: GET /partner/v1/cards

Malaysia: GET /partner/v1/cards

Philippines: GET /partner/v1/cards

Singapore: GET /partner/v1/cards

Thailand: GET /partner/v1/cards

Parameters

PATH

NA

Query

cardFunction

Customers unlock the selected card

Customers unlock the selected card by clicking on 'Unlock card' button. The card can be unlocked for local and overseas usage (as applicable as per earlier activation).

 

'Deactivate card for overseas use' or 'Activate card for overseas use' button will be disabled when the card is locked. A card can neither be activated nor be deactivated when it is locked.

Zoom In

Customers confirm card unlocking

After selecting the option to unlock their card, customers need to confirm their action by clicking on 'Yes, unlock my card' button.

 

Refer to the API callout for information about card unlocking.

 

Once the Unlock API callout is complete, partner to trigger MFA URL to open the OTP page.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Update local usage activation

Activates or deactivates the specified card's ability to be used locally.

Endpoint

Australia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Hong Kong: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

India: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Indonesia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Malaysia: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Philippines: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Singapore: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

Thailand: PUT /v1/cards/{cardId}/activations/{cardActivationCode}

 

Parameters

PATH

cardId

cardActivationCode

Body

CardUsageRequest

Customers validate the one-time password

Customers have to validate the one-time password sent to their registered mobile number.

 

Refer to the API callout for card unlocking confirmation.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Confirm Card Activation Deactivation

This API is triggered after initiating the Card activation/de-activation request and completes card activation/de-activation post successful multifactor authentication.

Endpoint

Australia: POST /v1/cards/activations/confirmation

Hong Kong: POST /v1/cards/activations/confirmation

India: POST /v1/cards/activations/confirmation

Indonesia: POST /v1/cards/activations/confirmation

Malaysia: POST /v1/cards/activations/confirmation

Philippines: POST /v1/cards/activations/confirmation

Singapore: POST /v1/cards/activations/confirmation

Thailand: POST /v1/cards/activations/confirmation

 

Parameters

PATH

NA

Body

CardUsageConfirmationRequest

Confirmation of card unlocking

Customers receive a notification message after their card is unlocked for local and overseas usage (as applicable as per earlier activation).

Zoom In

Select the card for overseas deactivation

The customers select the card requiring overseas deactivation from the list of available cards.

 

Refer to the below API callout before rendering this screen with the list of available cards.

 

There is a variation in API callouts for aggregrators and cobrand partners. Please refer as applicable.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Retrieve all cards - For Aggregator

This API is used to retrieve all the credit card numbers and correponding details of the customers who authorized the application.

Endpoint

Australia: GET /v1/cards

Hong Kong: GET /v1/cards

India : GET /v1/cards

Indonesia: GET /v1/cards

Malaysia: GET /v1/cards

Philippines : GET /v1/cards

Singapore: GET /v1/cards

Thailand : GET /v1/cards

Parameters

PATH

NA

Query

cardFunction

View Api Callout 2 >
×

Use Case Callout

Retrieve all cards - For CoBrand Partners

This API is used to list all the cards held by a customer with Citi partner.

Endpoint

Australia: GET /partner/v1/cards

Hong Kong: GET /partner/v1/cards

India : GET /partner/v1/cards

Indonesia: GET /partner/v1/cards

Malaysia: GET /partner/v1/cards

Philippines: GET /partner/v1/cards

Singapore: GET /partner/v1/cards

Thailand: GET /partner/v1/cards

Parameters

PATH

NA

Query

cardFunction

Display selected card details

Details including card number, current available balance, last transaction and statement balance for the card selected by customers are displayed. Customers can click on 'Deactivate card for overseas usage' button to begin the deactivation process for the card's overseas usage.

 

'Deactivate card for overseas usage' button will be shown only when the customer has already activated the card for overseas usage. Otherwise 'Activate card for overseas usage' button will be shown if the card is activated locally only.

Zoom In

Deactivate card for overseas usage

Customers can deactivate the overseas usage of their card either in case of theft or loss to avoid any kind of fraudulent activity. By clicking on 'Yes, deactivate my card for overseas usage' button, the customers provide their consent for the deactivation of their card's overseas usage.

 

Refer to the API callout for information about card overseas deactivation.

 

Once the Overseas Deactivate API callout is complete, partner to trigger MFA URL to open the OTP page.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Update overseas usage activation

Activates or deactivates a specified card's ability to be used overseas. Cards can be activated for overseas usage permanently or for a set period of time.

Endpoint

Australia: PUT /v1/cards/{cardId}/overseasUsage

Hong Kong: PUT /v1/cards/{cardId}/overseasUsage

India: PUT /v1/cards/{cardId}/overseasUsage

Indonesia: PUT /v1/cards/{cardId}/overseasUsage

Malaysia: PUT /v1/cards/{cardId}/overseasUsage

Philippines: PUT /v1/cards/{cardId}/overseasUsage

Singapore: PUT /v1/cards/{cardId}/overseasUsage

Thailand: PUT /v1/cards/{cardId}/overseasUsage

Parameters

PATH

cardId

Body

overseasCardUsageOption

ActivationRequest : overseasCardActivationStartDate, overseasCardActivationEndDate, perpetualActivationIndicator

Customers validate the one-time password

Customers have to validate the one-time password sent to their registered mobile number.

 

Refer to the below API callout for card overseas deactivation confirmation.

Zoom In

API(s) Callout

View Api Callout 1 >
×

Use Case Callout

Confirm Card Overseas Activation Deactivation

This API is triggered after initiating the Card activation/de-activation request and completes card activation/de-activation post successful multifactor authentication.

Endpoint

Australia: POST /v1/cards/overseasUsage/confirmation

Hong Kong: POST /v1/cards/overseasUsage/confirmation

India: POST /v1/cards/overseasUsage/confirmation

Indonesia: POST /v1/cards/overseasUsage/confirmation

Malaysia: POST /v1/cards/overseasUsage/confirmation

Philippines: POST /v1/cards/overseasUsage/confirmation

Singapore: POST /v1/cards/overseasUsage/confirmation

Thailand: POST /v1/cards/overseasUsage/confirmation

Parameters

PATH

NA

Body

CardOverseasUsageConfirmationRequest

Card overseas usage deactivation confirmation

Customers receive a notification message after their card is deactivated for overseas usage.

 

Once the card is deactivated for overseas usage, its status still remains Active since the card remains active for local usage.

Zoom In