Deferred Ticket Orders

July 7, 2019

Employees at a major event venue can request event tickets months in advance. 

  • A nationally-recognized ticket service manages the final ticket sales.
  • The venue has access to ticket sales before the public.
  • The venue manually retrieves the locally-requested ticket requests and enters them into the national ticket management service.
  • The employee credit card information must be secured until it is transferred to ticket service.

Goal

Do not store the employee’s credit card account number locally.

Solution

Auric developed two custom HTML iFrames for tokenizing and de-tokenizing the credit card account number.
The custom tokenizing iFrame checked that the expiration date on the credit card was later than the event date.

  • The venue captures the employee orders (plus credit card information) using an in-house custom built system.
  • The venue uses Browser-Side Tokenization to securely tokenize the credit card information in the user’s browser.
  • When the nationally recognized ticket service makes the event available, a venue employee transfers the pre-order information from the internal service to the ticket service.
  • The venue uses Browser-Side Detokenization to securely retrieve the original credit card account information. 
  • The AuricVault® Browser-Side Tokenization and Browser-Side Detokenization features allows the venue to stop storing credit card information locally and to remove their servers from PCI scope.

Data Flow

Deferred tickets tokenization dataflow.
Deferred tickets data flow.
  1. The venue's reservation service requests an AuricVault® browser-side encryption session.
  2. The AuricVault® service generates a one-time use session ID.
  3. The venue’s service includes the session ID in the ticket reservation page, and passes it to the secure iFrame hosted on Auric’s PCI-compliant servers.
  4. After the employee enters their billing information, the secure iFrame sends the session ID and the credit card account number to the AuricVault® service.
  5. The AuricVault® service tokenizes the credit card account number and returns a token to the secure iFrame. The secure iFrame provides this token to the parent checkout page.
  6. The Checkout page submits the employee’s general billing information and AuricVault® token back to the venue reservation service.
  7. When the actual tickets are available in the third-party ticketing service, a venue employee logs into the venue reservation service to retrieve cardholder information, the Venue Reservation service requests another session ID.
  8. The AuricVault® service returns the new session ID.
  9. The venue Reservation service provides the session ID and the AuricVault® token to the employee’s browser and passes the information to a secure iFrame hosted on Auric’s PCI compliant servers.
  10. The Secure iFrame sends the session ID and AuricVault® token to the AuricVault® service, and
  11. receives back the decrypted original credit card account number.
  12. A venue employee then completes the order with the third-party ticketing service.

Security

The AuricVault® solution improved security by removing stored employee credit card account numbers from the venue’s servers. The iFrame is embedded in the Customer's existing website. iFrames should never be overlaid as that is a security issue. 

Technologies Used

  • Tokenization
  • Data Separation
  • Browser-side iFrame and JavaScript

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.