Tokenize Push Request

The AuvProxy service can tokenize sensitive data in requests pushed to your web service through the AuvProxy. Your web server’s response is returned through the proxy to the target web service.

Example Dataflow

../../_images/push-tokenize-pass.svg

An application on the target web service POSTs a transaction to the AuvProxy service. The AuvProxy service then:

  • Finds sensitive data.

  • Tokenizes the sensitive data with the AuricVault® service.

  • Looks the destination URL in the local configuration.

  • POSTs the tokenized data to your web service.

  • Receives the response from your web service and returns it to the target web service.

Each request can have multiple sensitive fields to be tokenized.

GuestTraction Example

Before
<Guarantee>
    <GuaranteesAccepted>
        <GuaranteeAccepted>
            <PaymentCard
                CardNumber="41111111111111111"
                CardType="1"
                ExpireDate="1229"
                CardCode="VI">
                <CardHolderName>J. Smith</CardHolderName>
            </PaymentCard>
        </GuaranteeAccepted>
        <GuaranteeAccepted>
            <PaymentCard
                CardNumber="340000000000009"
                CardType="3"
                ExpireDate="0130"
                CardCode="AX">
                <CardHolderName>B. Jones</CardHolderName>
            </PaymentCard>
        </GuaranteeAccepted>
    </GuaranteesAccepted>
</Guarantee>
After
<Guarantee>
    <GuaranteesAccepted>
        <GuaranteeAccepted>
            <PaymentCard
                CardNumber="NtVH5Lfh370ZQBN1111"
                CardType="1"
                ExpireDate="mmyy"
                CardCode="VI">
                <CardHolderName>J. Smith</CardHolderName>
            </PaymentCard>
        </GuaranteeAccepted>
        <GuaranteeAccepted>
            <PaymentCard
                CardNumber="NBQZ073hfL5HVtN0009"
                CardType="1"
                ExpireDate="mmyy"
                CardCode="VI">
                <CardHolderName>J. Smith</CardHolderName>
            </PaymentCard>
        </GuaranteeAccepted>
    </GuaranteesAccepted>
</Guarantee>

Supported Targets

The push request tokenization can work with any web service API.

Auric ensures the pertinent HTTP request headers sent from the target web service are passed through to your web service.

Auric whitelists and tests each new target service before deploying it to production.

Contact sales@AuricSystems.com to discuss adding the target web services you need for your environment.

Whitelisted Domains

Whitelisting the target domains (and limiting the service’s inbound firewall access) ensures your service is accessed from a controlled set of targets.

GuestTraction

<PaymentCard
    CardNumber="Tokenized"
    CardType="1"
    ExpireDate="mmyy"
    CardCode="VI">
    <CardHolderName>J. Smith</CardHolderName>
</PaymentCard>

More Than Booking Engines and Credit Cards

It is simple to add support for targets other than booking engines to the proxy service. The service can also support tokenizing non-PCI data such as driver licenses, birthdates, etc.

Submitting Requests

All requests to the proxy service are via HTTPS POSTs. The body of the POST contains the normal data the target service would usually send to your web service.

HTTP Request Headers

The AuvProxy service does not require the target web service to send any special HTTP headers.

CONTENT-TYPE

The AuvProxy passes through the Content-Type POSTed by the target web service.

X-VAULT-TRACE-UID

A unique tracking ID Auric and you can use to trace transactions through our services. The AuvProxy service generates this value before forwarding the request to your web service.

Please track and store these values as it helps debug any issues that arise. The generated tracking ID will be unique.

The value is printable ASCII characters and no longer than 64 characters.

X-VAULT-ELAPSED

Time spent looking up tokens in the AuricVault® service. Value is returned in decimal seconds.

Support for Basic Authentication

The proxy service supports Basic HTTP Authorization protocol using the standard Authorization header. The service passes this header directly through to your web service.

URL Format

The URL to POST to has the following format:

/v1/tokenize/pass/<target-id>/<AccessID>/

Auric support provides your access identifier and the custom target-id for each push service your web service supports.

The proxy uses the target-id value to lookup the destination URL from the local settings.

HTTP Response Headers

The following HTTP response headers are returned by the proxy service.

Third-party service providers will ignore almost all these values. They are provided for scenarios where you may be pushing within your own business environment.

Content-Type

This is always the content type returned from your web service.

Server

The HTTP Server header returned by the target service. If not present, returns: |proxy| v<Version Number>.

X-ELAPSED

Total time required to process the request.

X-VAULT-ELAPSED

Time spent looking up tokens in the AuricVault® service.

X-DESTINATION-ELAPSED

Time spent waiting for the target to respond.

X-VAULT-TRACE-UID

The same trace ID submitted with the original request.

X-PCI-PROXY-ERROR

Used to identify error codes returned by the proxy vs. error codes returned by the target.

(All times are in decimal seconds.)

Using the X-PROXY-ERROR Header

This header is only returned when the proxy service encounters an internal problem or a communication problem with the target.

At present, the header value is always set to 1, but it should be assumed there will be other values returned during future service enhancements.

Whenever you receive a non-200 HTTP status response, check if this header is present. The header allows you to distinguish between status codes returned by the proxy and those returned by the target.

For example, if you receive an HTTP status code of 500, you should then check for this header. If the header was returned, then the proxy itself encountered a problem. If the header was not returned, then it was the target service itself that generated the 500 status code.

Service-Specific HTTP Response Headers

The proxy can return non-standard headers specific to your web service responses. Please contact sales@AuricSystems.com to discuss which non-standard HTTP headers you need returned to the target web service.

Example

A Curl example shows how to POST a GuestTraction fragment to Your Web Service through the AuvProxy.

#!/bin/bash

# Grab credentials from the environment.
#     ${guestTractionUsername}
#     ${guestTractionPassword}

# Sandbox
url='https://proxy01-sb.auricsystems.com/v1/tokenize/pass/guesttraction/<AccessID>/'

data=$(cat <<EOF
  <?xml version="1.0" encoding="UTF-8"?>
  <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Header>
      <wsse:Security soap:mustUnderstand="1"
             xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
        <wsse:UsernameToken>
          <wsse:Username>${guestTractionUsername}</wsse:Username>
          <wsse:Password
            Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
              ${guestTractionPassword}
          </wsse:Password>
        </wsse:UsernameToken>
      </wsse:Security>
    </soap:Header>
    <soap:Body>
      <OTA_HotelResNotifRQ
          xmlns="http://www.opentravel.org/OTA/2003/05"
          ResStatus="Commit" Version="1.0"
          TimeStamp="2019-04-30T23:58:02Z"
          EchoToken="15162719_2019.05.01-11.58.02.671KATE04_12496">
        <HotelReservations>
          <HotelReservation
              CreateDateTime="2019-04-30T23:57:34Z"
              ResStatus="Book">
            <ResGlobalInfo>
              <Total
                AmountBeforeTax="194.78"
                AmountAfterTax="224.00"
                CurrencyCode="AUD">
              </Total>
              <Guarantee>
                <GuaranteesAccepted>
                  <GuaranteeAccepted>
                    <PaymentCard
                      CardNumber="41111111111111111"
                      CardType="1"
                      ExpireDate="1229"
                      CardCode="VI">
                      <CardHolderName>xxxx xxxx</CardHolderName>
                    </PaymentCard>
                  </GuaranteeAccepted>
                </GuaranteesAccepted>
              </Guarantee>
            </ResGlobalInfo>
          </HotelReservation>
        </HotelReservations>
      </OTA_HotelResNotifRQ>
    </soap:Body>
  </soap:Envelope>
EOF
)

# Convert data into a single line
one_line=$(echo ${data} | tr '\n' ' ')

curl -vvv \
    ${url} \
    -d "${one_line}" \
    -H "Content-type: text/xml" \
    -X POST