Stored Card Verification Flow

Two-Step Card Storage:

1. User submits phone number (GET/POST /stored-cards/phone-number/)

2. System sends OTP code via SMS

3. Phone number cached in session

4. User submits OTP code (POST /stored-cards/otp/)

5. System validates OTP

6. Card data retrieved from cache

7. Token created via payment gateway

8. SavedCard record created with token and masked number

Security Measures:

• Card numbers never stored in database

• Only tokens and masked numbers persisted

• OTP verification required for card storage

• Cache timeout prevents replay attacks

• POS-specific token isolation