> For the complete documentation index, see [llms.txt](https://wpen.donablock.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wpen.donablock.io/8.-donablock.3-offline-store-connect/8-1-payment-card-security-oauth-2.0-protocol-flow.md).

# 8-1 PAYMENT CARD SECURITY   Oauth 2.0 Protocol Flow

<mark style="color:purple;">**ECOSYSTEM OF PAYMENT DEVICES, APPLICATIONS, INFRASTRUCTURE AND USERS**</mark>

**1.** In order to receive “ShopBack” at an offline partner store, the credit card or debit card used must be registered on the DonaBlock mobile APP. Many people are unaware that similar card-linking apps can see their consumption habits and personal information. DonaBlock does not collect or sell consumer personal information, and the information collected during card use is protected securely. We only use the information necessary to convert the “ShopBack” received from the seller to DonaBlock Tokens when consumers shop at partner stores. For the most reliable security, we will use OAuth connection for credit card linking to build an encrypted “ShopBack” service.

**2.** The DonaBlock card-linking system uses the most advanced technology to comply with the PCI DSS standard and maintain strict access control to prevent accidents. We collect and process only the data necessary to calculate and authenticate partner store and transaction categories and related account types for “ShopBack” provision. We identify but do not store consumer creditworthiness. We comply with the PCI DSS standard and handle sensitive information with the highest level of security.

**3.** A) (APP User) This requests permission to access user data. Conceptually, the app requests this from the user, but in practice, it is often a third-party authority that mediates between the app and the user to provide the necessary permissions.&#x20;

(B) (User APP) We issue an authorization grant that proves consent to access. RFC 6749 defines four types of authorization grants. The type of authorization grant to be used is determined by the type of app and the support of the granting authority.&#x20;

(C) (APP Authority Granting Agency) We submit an authorization grant to request an access token. The access token is the key that unlocks the locked safe of user data.&#x20;

(D) (Authority Granting Agency APP) We verify the authorization grant and provide an access token that contains information about the data items, scope, and period that the user has agreed to. In other words, we provide the key to access the user’s data when needed.&#x20;

(E) (APP Data Providing Agency) We submit an access token to request user data.&#x20;

(F) (Data Providing Agency APP) We provide user data. We verify that the access token submitted by the app is valid and confirm the information in the access token to determine the data items, scope, and validity period to be provided.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://wpen.donablock.io/8.-donablock.3-offline-store-connect/8-1-payment-card-security-oauth-2.0-protocol-flow.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.