An order management service collects customer orders and payment information and then submits recurring orders to multiple manufacturers on a monthly or quarterly basis until the account is cancelled. The manufacturers use a variety of JSON web API interfaces.
Goal
Securely convey tokenized credit card data using multiple Web API interfaces.
Solution
The order management service was already using an embedded HTML iFrame hosted on the AuricVault® servers to collect and tokenize the credit card account number.
A detokenization web proxy service accepts out-bound JSON-RPC web API request from the order management service, replaces the AuricVault® token with the original credit card data, and then securely forwards the order information to the manufacturer.
Auric deployed this solution with minimal change to the firm’s existing environment:
- a minor code change to post data to the outbound edge proxy vs. the end companies.
- updated their rules.
Auric forwarded new source IP addresses to the end companies.
Data Flow
Outbound PCI proxy data flow.
The Order Management Service (OMS) uses the AuricVault® service to tokenize credit card account numbers. The card data now needs to be sent to various clients or business partners.
- The Order Management Service sends a JSON API request to Auric’s Outbound PCI Proxy Service.
- The proxy service extracts the token from the request and sends the token to the AuricVault® service.
- The AuricVault® service returns the original credit card data.
- The proxy service replaces the token in the API call with the original credit card data and forwards the JSON API request to the appropriate company.
Security
The Auric inbound and outbound proxy services completely remove the credit card data from the order management firm’s data flow.
NOTE: Auric's Proxy Service can manage different API calls to different processors. It is not limited to JSON interfaces. It supports XML, SOAP, HTML web forms, and custom data formats.
Technologies Used
- Detokenization
- Data Separation
- Proxy4PCI PCI proxy.