A third-party makes a request for sensitive data from you.

Your partner can request sensitive information from you via PCI Proxy.

Your partner can request sensitive information from you via PCI Proxy.

Push (Receiver) integrations are those where Receivers can request data, including sensitive data, from you, through PCI Proxy. Your response, which initially contains tokens, will be detokenized before it reaches the Receiver. Non-sensitive headers and payloads are kept without modification.

How it works

Just like with Push (Channel) integrations, you will receive a {uniquePushKey} for each Push (Receiver) integration. Together with our PCI Proxy Push API endpoint, you will have a unique PCI Proxy endpoint that is specific for that integration. You can then redirect requests coming from a Receiver by changing your original API endpoint to the unique PCI Proxy endpoint.


This integration type requires us to whitelist the third-party's IP address so that we recognize them.

Contact us to get them added to our whitelist.

Now, when a Receiver sends a request to this unique PCI Proxy endpoint, we will match it to your account and any payloads or headers with tokens will be detokenized into their plain text form.


In sandbox mode, only test credentials are allowed.


Roomcloud is a booking manager for hotels. As a hotel with rooms listed on Roomcloud, you can allow Roomcloud to request sensitive information from you which is stored in our vaults. Instead of calling your original API endpoint, they will call the unique PCI Proxy endpoint that is associated with your account. In the sample set up below, we see that tokens are converted to the field Number or CVC once detokenized.

<channelType name="{{self.id}}" label="{{self.name}}" legacyName="roomcloud.soap-ota.xml.rs.ac.acvv">
		<SimpleXPathMatcher path="//*[local-name()='CreditCard']/*[local-name()='Number']" replacerType="AC"/>
		<SimpleXPathMatcher path="//*[local-name()='CreditCard']/*[local-name()='CVC']" replacerType="ACVV"/>