Deferred Ticket Orders

July 7, 2019

Employees at a major event venue can request event tickets months in advance:

  • A nationally-recognized ticket service manages the final ticket sales.
  • The venue has access to ticket sales before the public.
  • The venue manually retrieves the locally-requested ticket requests and enters them into the national ticket management service.
  • The employee credit card information must be secured until it is transferred to ticket service.

Goal

Do not store the employee’s credit card account number locally.

Solution

Auric developed two custom HTML iFrames for tokenizing and de-tokenizing the credit card account number.

The custom tokenizing iFrame checked that the expiration date on the credit card was later than the event date.

Data Flow

Deferred tickets tokenization dataflow.
Deferred tickets data flow.
  1. The Venue Reservation service requests an AuricVault® browser-side encryption session.
  2. The AuricVault® service generates a one-time use session ID.
  3. The Venue’s service includes the session ID in the ticket reservation page, and passes it to the secure iFrame hosted on Auric’s PCI-compliant servers.
  4. After the employee enters their billing information, the secure iFrame sends the session ID and the credit card account number to the AuricVault® service.
  5. The AuricVault® service tokenizes the credit card account number and returns a token to the secure iFrame. The secure iFrame provides this token to the parent checkout page.
  6. The Checkout page submits the employee’s general billing information and AuricVault® token back to the Venue Reservation service.
  7. When the actual tickets are available in the third-party ticketing service, a venue employee logs into the Venue Reservation service to retrieve cardholder information, the Venue Reservation service requests another session ID.
  8. The AuricVault® service returns the new session ID.
  9. The Venue Reservation service provides the session ID and the AuricVault® token to the employee’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
  10. The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
  11. receives back the decrypted original credit card account number.
  12. A venue employee then completes the order with the third-party ticketing service.

Security

The AuricVault® solution improved security by removing stored employee credit card account numbers from the venue’s servers. The iFrame is embedded in the Customer's existing website. iFrames should never be overlaid as that is a security issue. 

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.