It is important for businesses to reduce their scope of security and PCI compliance as much as possible, while maintaining control over their operations.
Your Helcim Account enables you to achieve this by combining the tools made available to all of our merchants.
Reducing Your PCI and Security Scope
We strongly advise that you do not store any sensitive cardholder information, including full credit card numbers and expiry dates. Instead, merchants should use the card-tokenization service built into Helcim Commerce. There are a number of entry-points for credit card data, including the Virtual Terminal, API, Hosted Payment Pages, Customer Portal, Online Store and Helcim.js. When a transaction is successfully processed using any of these entry entry-points, the credit card is automatically stored, tokenized and added to the customer's card-vault. Using the stored card token, you can process a new transaction anytime without needing the original credit card number.
We strongly recommend using the Helcim Commerce API in conjunction with either Helcim.js or our Hosted Payment Pages. While our API does allow for sensitive credit card information to be sent via an API payment request, we instead suggest that the initial credit card transaction be done using those other methods that are outside your own server or application environment. Further transactions can then be processed through the API using the card token, and since no full credit card numbers are passed, your server remains outside the scope of compliance and security.
- STEP 1) Use Helcim.js or the Hosted Payment Pages to tokenize the credit card.
- STEP 2) Use Helcim's API to process further transactions using the card token.
- STEP 3) When adding or updating a credit card, use Helcim.js or the Hosted Payment Pages again.
Using the Card Token
Your server or application should store this card token, as well as the first 4 and last 4 digits of the credit card number. Neither of these fields are considered sensitive cardholder information. When ready to process a new payment, these fields should be sent to the API instead of the credit card number, expiry and CVV fields. The first and last 4 digit is used to ensure that the card you wish to bill is the correct one.
|cardToken||String||Yes||The 23-digit, alpha-numeric credit card token representing the stored credit card information.|
|cardF4L4||Integer||Yes||The first 4 and last 4 digits of the credit card number.|
Customer Card Vault
As part of Helcim's tokenization systems, cards are stored under a customer profile. Each customer has their own "card vault" that can hold as many cards as needed. A default card can be assigned to the customer, letting the system know which card to use when a specific card token is not sent. Cards manually added to the customer card vault can be used through the API, and any cards removed can no longer be used.
When processing a new transaction, the customerCode field can be sent instead of the card token fields, and the system will retrieve the default card assigned to this customer.