A booking service’s website collects reservations for over a thousand regional bed and breakfast (B&B) proprietors. Guests make reservations at one or more of the B&Bs and enter their credit card information to reserve the room. The B&B proprietors log into the service’s website to review their bookings and retrieve the credit card billing information.
Remove the credit card number from the booking service’s data flow.
The booking service integrated two custom iFrames into their web service:
- an iFrame on the front-end ordering page to tokenize the credit card account number.
- an iFrame on the back-end order retrieval page to allow B&B proprietors to retrieve the credit card account number.
The booking service hosts both iFrames within the AuricVault® secure PCI hosting environment.
B&B booking data flow.
- B&B service requests an AuricVault® browser-side encryption session.
- The AuricVault® service generates a one-time use session ID.
- The B&B service includes the session ID in the checkout page, and passes it to the secure iFrame hosted on Auric’s PCI-compliant servers.
- After user enters their billing information, the secure iFrame sends the session ID and the credit card account number to the AuricVault® service.
- The AuricVault® service tokenizes the credit card account number and returns a token to the secure iFrame. The secure iFrame provides this token to the parent checkout page.
- The Checkout page submits the user’s general billing information and AuricVault® token back to the B&B Booking service.
- When a specific B&B logs into the B&B booking service to retrieve the new booking order, the B&B Booking Service requests another session ID.
- The AuricVault® service returns the new session ID.
- The booking service provides the session ID and the AuricVault® token to the user’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
- The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
- receives back the decrypted original credit card account number.
The AuricVault® service completely removes the credit card number from the booking service’s environment. The tokenization and de-tokenization occur within the user’s web browser.