Outbound Edge Detokenization

May 5, 2019

An order management firm aggregates repeat orders for multiple companies. Clients sign up for products to be delivered monthly and quarterly. The order management firm forwards the sales order to the end company on the requested schedule via JSON web API.

Goal

Comply with the Payment Card Industry Data Security Standard (PCI-DSS) requirements by removing the credit card account number from telemarketing firm’s environment.

Solution

The telemarketing firm was already using an embedded HTML iFrame hosted on the AuricVault® servers to collect and tokenize the credit card account number.

A detokenization web proxy service accepts out-bound JSON-RPC web API request from the order management firm, replaces the AuricVault® token with the original credit card data, and then securely forwards the order information to the end company.

Auric deployed this solution with minimal change to the firm’s existing environment:

  • a minor code change to post data to the outbound edge proxy vs. the end companies.
  • updated their rules.

Auric forwarded new source IP addresses to the end companies.

Data Flow

Outbound edge detokenization dataflow

Outbound PCI proxy data flow.

The Order Management Service (OMS) uses the AuricVault® service to tokenized credit card account numbers. The card data now needs to be sent to various clients or business partners.

  1. The Order Management Service sends a JSON API request to Auric’s Outbound PCI Proxy Service.
  2. The proxy service extracts the token from the request and sends the token to the AuricVault® service.
  3. The AuricVault® service returns the original credit card data.
  4. The proxy service replaces the token in the API call with the original credit card data and forwards the JSON API request to the appropriate company.

Security

The Auric inbound and outbound proxy services completely remove the credit card data from the order management firm’s data flow.

NOTE: Auric's Proxy Service can manage different API calls to different processors. It is not limited to JSON interfaces. It supports XML, SOAP, HTML web forms, and custom data formats.

 

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.