Employees at a major event venue can request event tickets months in advance:
- A nationally-recognized ticket service manages the final ticket sales.
- The venue has access to ticket sales before the public.
- The venue manually retrieves the locally-requested ticket requests and enters them into the national ticket management service.
- The employee credit card information must be secured until it is transferred to ticket service.
Do not store the employee’s credit card account number locally.
Auric developed two custom HTML iFrames for tokenizing and de-tokenizing the credit card account number.
The custom tokenizing iFrame checked that the expiration date on the credit card was later than the event date.
- The Venue Reservation service requests an AuricVault® browser-side encryption session.
- The AuricVault® service generates a one-time use session ID.
- The Venue’s service includes the session ID in the ticket reservation page, and passes it to the secure iFrame hosted on Auric’s PCI-compliant servers.
- After the employee enters their billing information, the secure iFrame sends the session ID and the credit card account number to the AuricVault® service.
- The AuricVault® service tokenizes the credit card account number and returns a token to the secure iFrame. The secure iFrame provides this token to the parent checkout page.
- The Checkout page submits the employee’s general billing information and AuricVault® token back to the Venue Reservation service.
- When the actual tickets are available in the third-party ticketing service, a venue employee logs into the Venue Reservation service to retrieve cardholder information, the Venue Reservation service requests another session ID.
- The AuricVault® service returns the new session ID.
- The Venue Reservation service provides the session ID and the AuricVault® token to the employee’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
- The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
- receives back the decrypted original credit card account number.
- A venue employee then completes the order with the third-party ticketing service.
The AuricVault® solution improved security by removing stored employee credit card account numbers from the venue’s servers. The iFrame is embedded in the Customer's existing website. iFrames should never be overlaid as that is a security issue.