PCI Proxy Dashboard ↗️Status Page
Guides
Start typing to search…

Push

A third-party makes a request for sensitive data from you.

Your partner can request sensitive information from you via PCI Proxy.

Your partner can request sensitive information from you via PCI Proxy.

Push Receiver integrations allow Receivers - third-party systems that need access to raw cardholder data - to request information, including sensitive details, from you via PCI Proxy. Your initial response contains tokenized values, which PCI Proxy securely detokenizes before delivering the response to the Receiver. All non-sensitive headers and payload elements remain unchanged.

How it works

When you add a Push integration on your account, you will receive a uniquePushKey for each such integration. Together with our PCI Proxy Push API endpoint, you will have a unique PCI Proxy endpoint that is specific for that integration. You can then redirect requests coming from a Receiver by changing your original API endpoint to the unique PCI Proxy endpoint.

Now, when a Receiver sends a request to this unique PCI Proxy endpoint, we will match it to your account and any response payloads with tokens will be detokenized into their plain text form.

Who initiates the request?

  • A third-party Receiver of plain text card data initiates the request to the PCI Proxy endpoint, not directly to your API.

What happens?

  • PCI Proxy sets up an integration tailored to your requirements, configured to forward incoming requests to your designated endpoint.
  • The Receiver sends a request to PCI Proxy’s unique endpoint (associated with your account via uniquePushKey).
  • PCI Proxy matches the request to your account and forwards it to your original API endpoint.
  • Your API responds with PCI Proxy aliases instead of raw card data.
  • PCI Proxy detokenizes these aliases into plain text before delivering the response to the Receiver.
  • Non-sensitive headers and payload remain unchanged.
🚧

This integration type requires us to whitelist the third-party's IP address so that we recognize them.

Contact us to get them added to our whitelist.

Only parties that are certified as PCI DSS Level 1 compliant are permitted to receive raw cardholder data through PCI Proxy.

In sandbox mode, only test credentials are allowed.

Example

Roomcloud is a booking management platform for hotels. As a hotel with rooms listed on Roomcloud, you can authorize Roomcloud to request sensitive information from you, which is securely stored in our vaults.

Instead of calling your original API endpoint directly, Roomcloud will use the unique PCI Proxy endpoint associated with your account.

Your HTTP response will return PCI Proxy aliases for the credit card number and CVV, rather than the raw card data. PCI Proxy then converts these aliases back to the corresponding raw values and forwards the complete response to the request initiator, in this case Roomcloud.

Request
curl --location --request GET 'https://your.domain.com/reservations' \
-H 'Content-Type: application/xml' \
-H 'Authorization: ••••••' \
-d '<?xml version="1.0" encoding="utf-16"?>
<ReservationsRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" DateTime="0001-01-01T00:00:00" Property_id="12345">
    <Limit xsi:nil="true" />
    <Type>ReservationPull</Type>
</ReservationsRequest>'

Response
HTTP/1.1 200 OK
Content-Type: application/xml
X-Request-ID: abc123xyz
Date: Wed, 03 Dec 2025 12:13:20 GMT

<?xml version="1.0" encoding="UTF-8" ?>
<root>
  ...
  <CreditCard>
    <Original>
      <Expiry>1/2030</Expiry>
      <Holder>Test Tester</Holder>
      <Number>4111111111111111</Number>
      <Type>MasterCard</Type>
      <CVC>123</CVC>
      <IsVirtualCC>false</IsVirtualCC>
    </Original>   
  </CreditCard>
  ...
</root>

Request
curl --location --request GET 'https://api.pci-proxy.com/v1/push/{yourPushKey}' \
-H 'Content-Type: application/xml' \
-H 'Authorization: ••••••' \
-d '<?xml version="1.0" encoding="utf-16"?>
<ReservationsRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" DateTime="0001-01-01T00:00:00" Property_id="12345">
    <Limit xsi:nil="true" />
    <Type>ReservationPull</Type>
</ReservationsRequest>'

Response
HTTP/1.1 200 OK
Content-Type: application/xml
X-Request-ID: abc123xyz
Date: Wed, 03 Dec 2025 12:13:20 GMT

<?xml version="1.0" encoding="UTF-8" ?>
<root>
  ...
  <CreditCard>
    <Original>
      <Expiry>1/2030</Expiry>
      <Holder>Test Tester</Holder>
      <Number>AABcH0Bq92s3kgAESIAAbGj5NIsAHWC</Number>
      <Type>MasterCard</Type>
      <CVC>AEcyq81HSCWWGihU</CVC>
      <IsVirtualCC>false</IsVirtualCC>
    </Original>   
  </CreditCard>
  ...
</root>

Request
-curl --location --request GET 'https://your.domain.com/reservations' \
+curl --location --request GET 'https://api.pci-proxy.com/v1/push/{yourPushKey}' \
 -H 'Content-Type: application/xml' \
 -H 'Authorization: ••••••' \
 -d '<?xml version="1.0" encoding="utf-16"?>
 <ReservationsRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema"  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" DateTime="0001-01-01T00:00:00"  Property_id="12345">
    <Limit xsi:nil="true" />
    <Type>ReservationPull</Type>
 </ReservationsRequest>'

Response
HTTP/1.1 200 OK
Content-Type: application/xml
X-Request-ID: abc123xyz
Date: Wed, 03 Dec 2025 12:13:20 GMT

<?xml version="1.0" encoding="UTF-8" ?>
<root>
  ...
  <CreditCard>
    <Original>
      <Expiry>1/2030</Expiry>
      <Holder>Test Tester</Holder>
-     <Number>4111111111111111</Number>
+     <Number>AABcH0Bq92s3kgAESIAAbGj5NIsAHWC</Number>
      <Type>MasterCard</Type>
-     <CVC>123</CVC>
+     <CVC>AEcyq81HSCWWGihU</CVC>
      <IsVirtualCC>false</IsVirtualCC>
    </Original>   
  </CreditCard>
  ...
</root>

Updated 11 days ago