More about Filter and Forward Proxies

Our Filter and Forward proxies are one of the main ways that PCI Proxy is used. We act as intermediaries between you and third-parties that you use. Check out our concepts to read about some of the terminology used in this context.

These proxies are intended for server-to-server data transfers and not browser-based or customer facing tokenizations. For that, refer to Secure Fields.

Filter Proxy

Simply redirect requests coming to you which contain sensitive card data through PCI Proxy to avoid sensitive data hitting your servers. PCI Proxy automatically scans the requests for sensitive card data. Located card data is instantly collected, tokenized and stored in our secure vaults.

PCI Proxy sits between you and third-party partners.

PCI Proxy sits between you and third-party partners. This an example of a Push request (initiated by your partner).

A reference string (token) is issued that substitutes the sensitive data in the request or response. All the other headers and the payload always remain the same.


Tokenization happens before sensitive card data touches your servers and reduces your PCI scope.

Forward Proxy

Since each token in our vaults is mapped to a specific credit card number, CVV or custom value, you simply use this token to tell us what you would like to do with the underlying data.

Typically, you will want to forward this data to third-party receivers (see Concepts for more details) which may be online travel agencies, payment gateways, fraud prevention partners, hotels, airlines, car rentals, just to list a few.

PCI Proxy will detokenize your data before it reaches third-party partners.

PCI Proxy will detokenize your data before it reaches third-party partners. This is an example of a Pull request (initiated by you).

Redirect your API requests, containing your tokens, through PCI Proxy and we will detokenize them before forwarding them through to your desired PCI-compliant third-party partner. Any responses from the receiver will be returned to you and once again, sensitive card data is tokenized if required.


Receivers must be PCI DSS compliant, since they are accepting sensitive card data. A valid AOC is required for each third-party receiver.

Refer to PCI DSS Validation for more details.

Network Tokenization (optional)

In case you want to create Network Tokens via the Filter API, make sure that your payload contains the expiry date of the credit card (month and year) and that we have configured the integration on our side accordingly. Check the payload mentioned on the integration which is installed on your project in the dashboard.

Example payload

  "source": {
    "card": {
      "cardNumber": "4242424242424242",
      "expiry_month_number": "05",
      "expiry_year_number": "23"

TCP Ports


Note the allowed TCP ports for endpoints:

Sandbox: Port 80 and 443

Production: Port 443.