Employees at a major event venue can request event tickets months in advance of when they can be booked.
- A nationally-recognized ticket service manages the final ticket sales.
- The venue has access to ticket sales before the public.
- The venue manually retrieves the locally-requested ticket requests and enters them into the national ticket management service.
- The employee credit card information must be secured until it is transferred to ticket service.
Do not store the employee’s credit card account number locally.
Auric developed two custom HTML iFrames for tokenizing and de-tokenizing the credit card account number.
The custom tokenizing iFrame checked that the expiration date on the credit card was later than the event date.
- The venue captures the employee orders (plus credit card information) using an in-house custom built system.
- The venue uses Browser-Side Tokenization to securely tokenize the credit card information in the user’s browser.
- When the nationally recognized ticket service makes the event available, a venue employee transfers the pre-order information from the internal service to the ticket service.
- The venue uses Browser-Side Detokenization to securely retrieve the original credit card account information.
- The AuricVault® Browser-Side Tokenization and Browser-Side Detokenization features allows the venue to stop storing credit card information locally and to remove their servers from PCI scope.
- The venue's reservation service requests an AuricVault® browser-side encryption session.
- The AuricVault® service generates a one-time use session ID.
- The venue’s service includes the session ID in the ticket reservation page, and passes it to the secure iFrame hosted on Auric’s PCI-compliant servers.
- After the employee enters their billing information, the secure iFrame sends the session ID and the credit card account number to the AuricVault® service.
- The AuricVault® service tokenizes the credit card account number and returns a token to the secure iFrame. The secure iFrame provides this token to the parent checkout page.
- The Checkout page submits the employee’s general billing information and AuricVault® token back to the venue reservation service.
- When the actual tickets are available in the third-party ticketing service, a venue employee logs into the venue reservation service to retrieve cardholder information, the Venue Reservation service requests another session ID.
- The AuricVault® service returns the new session ID.
- The venue Reservation service provides the session ID and the AuricVault® token to the employee’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
- The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
- receives back the decrypted original credit card account number.
- A venue employee then completes the order with the third-party ticketing service.
The AuricVault® solution improved security by removing stored employee credit card account numbers from the venue’s servers. The iFrame is embedded in the Customer's existing website. iFrames should never be overlaid as that is a security issue.
- Data Separation