PCI Vault lets you capture data without having the data touch your own server at all.
To do this without compromising your passphrase or your authorization details, you can create a shareable unique endpoint. This endpoint can only be used for storing data in the vault, nothing else.
Create a temporary endpoint that you can share with others without compromising your passphrase. This endpoint will capture data that can later be decrypted with the same key that was used to create the endpoint.
We have a PCD web form that is ready-made to use this endpoint, you can get instructions here on how to use the Capture PCD form.
This endpoint can also auto-generate the form html for you.
To do this, set the Accept
header in your request to text/html
.
The generated form html will work out of the box
and can be injected directly into your HTML.
Important: We store an encrypted version of the provided key in our database. This endpoint generates a secret necessary to decrypt the key and securely store the captured data. Anybody with the secret can use the generated endpoint to post data on your behalf. We do not store this secret. We recommend that you delete the endpoint after use.
The identifier for the key that will be used to encrypt submitted data.
The passphrase for the key that will be used to encrypt submitted data.
A unique name for the endpoint. The uniqueness is enforced across the entire vault, you can't use a unique id that is currently being used by someone else.
The duration for which the endpoint will be active. This can be specified using a ISO8601 duration string. To make the endpoint never expire, give it a duration of 0, i.e. P0T
The tokenization algorithm to use. See the tokenization guide for more information.
PCI Vault can try to parse credit card numbers, cvv numbers, and expiry dates in a smart way. To enable smart parsing for data sent to this endpoint, set this flag to true. If the parsing was successful, the parsed item will contain a JSON object with the parsed data, otherwise the request will be rejected with error 400.
A comma separated list of rule ids to apply to the data in order. The rules are applied just before the data is encrypted and stored in the vault.
Set the Accept
header text/html
to receive the endpoint data in ready-made HTML code.
A webhook to send the capture result to.
The URL for the webhook. This must be an https URL.
A secret that will be returned in the webhook call's X-PCIVault-Webhook-Secret
header.
A value between 1 and 8 for the maximum amount of times the webhook should be called per token update. Calls to the webhook will stop on a 200
HTTP response, or when max_attempts are reached.
Some metadata which will be merged into the webhook response. This is useful for uniquely identifying webhook responses to requests.
Accept |
application/json |
List available capture endpoints, this list may include expired endpoints. Expired endpoints can't be used and will be deleted.
Optional key identifier for filtering endpoints.
# No Body
Encrypt, tokenize , and store data securely in the vault without having access to a key.
The data object is limited to 256KB per request. It does not need to comply with the example value, but it must be a valid JSON object.
Please specify a number in the data with one of these keys:
card_number
, account_number
, n
, or number
.
Alternatively, specify a number in the query string.
The unique id of the endpoint to use.
This number is used for generating a token. It is only required if not specified in the body, and will not be stored.
A reference to assist with lookups and grouping of data.
The secret associated to the endpoint.
Any valid JSON object
Delete a capturing endpoint. Please note that this endpoint can also be used to delete retrieval endpoints by specifying a unique id belonging to a retrieval endpoint.
The unique id of the endpoint to delete.
# No Body
Use this endpoint to create a hosted form which can be embedded in an iFrame.
The created form will be publicly visible, and can be used with any capture endpoint.
This endpoint is zero-rated.
The type of form, this can be either pcd
for credit card, ach
for bank details or custom
for a custom form.
A unique id for the form. This id must be a system-wide unique id. If you don't specify an id, PCI Vault will generate one for you.
A list of of CSS links to include. This is useful for externally hosting CSS to modify the form.
A list of of Javascript links to include. This is useful for externally hosting Javascript to modify the form.
Base64 encoded CSS. This CSS will be included in a <style>
tag in the form HTML.
Base64 encoded Javascript. This Javascript will be included in a <script>
tag in the form HTML.
Base64 encoded Javascript function which will be invoked when the form was submitted successfully.
Base64 encoded Javascript function which will be invoked if an error occurs when the form is submitted.
Set to true to force the used of a randomized keypad input.
Set to false to hide the sample credit card on the PCD form.
Set to true to disable all validation on the PCD form.
Set to true to strip space from the credit card on the PCD form.
A javascript object, specifying which fields to validate or display. Each key is optional, but must have an object value with validate
and/or visible
as keys containing true
or false
as values. Unspecified, undefined, or null keys will be overridden by true
values. Invisible fields will not be validated.
Request the HTML for rendering the hosted HTML form.
This link can be included in an iFrame like this:
<iframe
src="api-stage.pcivault.io/v1/capture/iframe/MmRMVP4UjYD8g5kVUcmx4Z?unique_id=MThcun2CoC9Eeou3khz4cN&secret=QyXgJqG3d2Tj7ttsbRHI5TffocOg3dZGYmuOuDCLE-wPi_CxoJh7uKSROpm8hIHJ"
></iframe>
This endpoint is publicly available, no Basic Auth or secret headers necessary. However, the unique id and secret for a valid Capture Endpoint is necessary for the form to be usable.
The id for the form you want to access
The unique id for the capture endpoint to which the form should send data.
The secret for the capture endpoint to which the form should send data.
Set this to true to send data to the staging environment rather than production.
The HTML title for the hosted form.
# No Body
Delete a hosted endpoint. You will only be able to delete the form created by the same Basic Auth user.
The id of the hosted form to delete.
# No Body