Outbound Edge Detokenization

May 5, 2019

An order management service collects customer orders and payment information and then submits recurring orders to multiple manufacturers on a monthly or quarterly basis until the account is cancelled. The manufacturers use a variety of JSON web API interfaces.

Goal

Securely convey tokenized credit card data using multiple Web API interfaces.

Solution

The order management service was already using an embedded HTML iFrame hosted on the AuricVault® servers to collect and tokenize the credit card account number.

A detokenization web proxy service accepts out-bound JSON-RPC web API request from the order management service, replaces the AuricVault® token with the original credit card data, and then securely forwards the order information to the manufacturer.

Auric deployed this solution with minimal change to the firm’s existing environment:

  • a minor code change to post data to the outbound edge proxy vs. the end companies.
  • updated their rules.

Auric forwarded new source IP addresses to the end companies.

Data Flow

Outbound edge detokenization dataflow

Outbound PCI proxy data flow.

The Order Management Service (OMS) uses the AuricVault® service to tokenize credit card account numbers. The card data now needs to be sent to various clients or business partners.

  1. The Order Management Service sends a JSON API request to Auric’s Outbound PCI Proxy Service.
  2. The proxy service extracts the token from the request and sends the token to the AuricVault® service.
  3. The AuricVault® service returns the original credit card data.
  4. The proxy service replaces the token in the API call with the original credit card data and forwards the JSON API request to the appropriate company.

Security

The Auric inbound and outbound proxy services completely remove the credit card data from the order management firm’s data flow.

NOTE: Auric's Proxy Service can manage different API calls to different processors. It is not limited to JSON interfaces. It supports XML, SOAP, HTML web forms, and custom data formats.

Technologies Used

  • Detokenization
  • Data Separation
  • Proxy4PCI PCI proxy.

Have Questions?

Contact Us

1,000 character limit.

By submitting your name, email address, phone number, and message, you are permitting us to contact you by these means in response to your inquiry or feedback. You also acknowledge that you have read our Privacy Statement and that you consent to our processing data in accordance with it.