# Stored Card Verification Flow

**Two-Step Card Storage:**

1. User submits phone number (GET/POST `/stored-cards/phone-number/`)
2. System sends OTP code via SMS
3. Phone number cached in session
4. User submits OTP code (POST `/stored-cards/otp/`)
5. System validates OTP
6. Card data retrieved from cache
7. Token created via payment gateway
8. SavedCard record created with token and masked number

**Security Measures:**

* Card numbers never stored in database
* Only tokens and masked numbers persisted
* OTP verification required for card storage
* Cache timeout prevents replay attacks
* POS-specific token isolation