The developer toolbox for PCI compliance

PCI Proxy is a solid, yet flexible set of building blocks to craft lean and PCI-compliant payment flows. It takes care of PCI compliance for you, while you build your products.

Suite of Tokenization APIs

Tokenize card data on your website or filter on incoming webservice traffic.

Universal Token Vault

Store card data for future transactions or temporarily cache them for following requests.

Flexible Card Distribution

Share card data with partners or transact against payment gateways and acquirer.

We engineered Secure Fields — customizable, DOM-injected iframes to capture credit cards across all devices for any payment gateway and qualify for SAQ A at the same time.

A suite of modern tokenization APIs

The only payment form you’ll ever need

PCI Proxys’ Secure Fields decouple card capture from payment processing — purging your need to integrate dozens of hosted payment pages from different gateways. Secure Fields capture all credit cards for any payment gateway with one unified API and fits seamlessly into your existing web forms.

Read More

» Secure Fields come with full CSS support and error handling to create nice checkouts in less time.

» With Secure Fields, upgrade legacy front-ends to PCI-compliance in no time with less code.

» Secure Fields get your full stack out of PCI scope to ensure secure payments and eliminate PCI issues.

» The lightweight API transfers our entire PCI knowledge on front-ends directly into your hands.

A Suite of modern Tokenization APIs

Filter and tokenize incoming traffic in real time

PCI Proxy gets your full stack out of PCI scope with just a few lines of extra code. Once added, it filters and tokenizes card data on-the-fly on any incoming payloads — e.g. booking data from channels like, Amadeus, Skyscanner, and many more:

     * Payload not listed? New payloads can be added within minutes.

    Reverse Proxy on steroids

    PCI Proxy supports PUSH/PULL communication and consumes everything you’ll ever send over https (XML, JSON, SOAP, QueryString, etc.). We even have sophisticated HTTPS to VPN or SFTP converter to save you time — just talk to us. With our Whitelabel add-on you can keep your existing API endpoints ( with while your full stack remains out of PCI scope.

    Tokenize on requests

    Receive filtered data via PCI Proxy on unique endpoints (1). Behind every unique endpoint lies a payload-specific filter that controls what data is tokenized and what is passed through directly to your systems untouched. Your partners can push requests containing sensitive data to this endpoint.

      -H 'Content-Type: application/json' 
      -d '{
    	"foo": "bar",
                "card_number": "4242424242424242",
                "cvv": "999"
    -H "X-CC-MERCHANT-ID: 1000011011" 
    -H "X-CC-SIGN: 30916165706580013" 
    -H "X-CC-URL:" 
    -H "Content-Type: text/xml" 
    -d '<?xml version="1.0" encoding="UTF-8"?>

    Tokenize on responses

    Receive filtered data via PCI Proxy (e.g. reservation data) by routing your original request via PCI Proxy pull API (1). Simply add your credentials (2,3) and include the original endpoint (4). PCI Proxy sends the payload on behalf of you to the original endpoint. The response runs through a payload-specific filter dictating what data is tokenized and what is left untouched.

    Universal Token Vault

    Store credit cards payment gateway agnostic


    Working with more than one payment gateway can be hard as you have to deal with different token formats. Our universal token format allows you to distribute payment data freely across gateways to prevent vendor lock-ins and build automatic payment failover.

    Payment failover

    One single token format allows you to distribute payment data across gateways.

    Token by design

    Tokens retain characteristics of card data to allow customer recognition.

    Secure storage in Switzerland

    Sensitive data is protected by military-grade crypto-processors on PCI Level 1.

    Flexible Card Distribution

    Distribute stored cards with full flexibility

    Share with PCI-compliant Endpoints

    Distribute stored payment data to any PCI-compliant API endpoint, e.g. Expedia, Amadeus, Sabre, etc.

    Transact with Payment Gateways

    Transact or share stored payment data directly with any payment gateway API, e.g. Stripe,, Adyen, etc.

       * API not listed? New API payloads can be added within minutes.

      Simple, powerful payment distribution

      Build your request (e.g. Stripe Create Token, etc.), send it to PCI Proxy PULL API (1), add your credentials (3,4) and include a token (6). PCI Proxy automatically populates the payload with card data and forwards it to Stripe (2).

       -H 'X-CC-URL:' 
       -H 'X-CC-MERCHANT-ID: 1000011011' 
       -H 'X-CC-SIGN: 30916165706580013' 
       -u sk_test_BQokikJOvBiI2HlWgH4olfQ2: 
       -d 'card[number]=424242SKMPRI4242' 
       -d 'card[exp_month]=12' 
       -d 'card[exp_year]=2018' 

      Charge directly against acquiring banks and cut the middleman

      Our scalable PCI infrastructure allows you to connect to over 20+ merchant acquirer with one API. Let your customers switch acquirers in minutes, not month.

      Perfect for platforms and service provider

      We believe in competition and allow you to choose freely among various acquiring banks to achieve the best price possible. With PCI Proxy Charge you can keep acquirer setups or switch for better conditions without writing extra code. Charge a card in a single, unified API call. The payment is processed against your configured merchant account.

      Understanding the benefits

      A payment gateway allows you to charge a customer’s credit card with the purchase he/she makes online — similar to a physical point of sale terminal. The payment gateway sends payment data to the payment processor which is the financial institution that sends transaction details to your merchant account. The merchant account is basically an online bank account that will temporarily hold the merchants’ money until it is moved into the merchants’ actual bank account. There are two different types of merchant accounts. Acquirer such as SIX, Ingenico,, etc. will get you a dedicated merchant account which allow you to negotiate custom rates (%) and payout cycles for your sales. Payment gateways such as Stripe, Braintree, etc. offer aggregated merchant accounts where your money gets dropped in a pool with other companies and don’t allow rate or payout cycle negotiations. While an aggregated merchant account simplifies your onboarding when you are small, it will limit your choice later when you are big enough to receive better % rates on your payments. That is why larger merchants try to save money by getting their own merchant account.

      See single credit card — PCI-compliant

      Our purpose-built Show API allows authorized users to see full stored cards. A manual de-tokenizer iframe gives authorized users the opportunity to retrieve single credit cards in a PCI-compliant way.

      Show API comes with language support, event listeners and customization options. 

      Check stored card validity

      Stored cards are often used to guarantee a service — PCI Proxy allows you to instantly verify at any time if a stored credit card is still valid with the Credit Card Checks add-on.

      With a single API call, you can check the validity of a stored credit card. If successful, you can start from the premise that the credit card is valid. If not, just contact your customer and ask for clarification.

      Verfiy credit card validity

      Check if a stored card is still valid and can be used to charge a card or guarantee a service.

      Reliable and without statement notice

      We check against VISA & MC network without showing up on a consumer bank statement.

      Frequently Asked Questions

      What PCI Level do I possess with PCI Proxy? Your PCI scope is the lowest possible, allowing you to fill out the easiest Self Assessment Questionnaire A. However, you are entitled to show our PCI DSS Level 1 certificate (Attestation of Compliance) to your partners.
      How does the token format look like? We support different token formats to keep your system changes as low as possible. Our most used token format is 4242 42AB CDEF 4242 which contains the first 6 and last 4 digits of the actual card number and keeps the length of the credit card number.
      I’m PCI certified – Can I still use your storage vault? Yes, if you are PCI certified and just want to store your sensitive card data in our secure vaults in Switzerland, you can connect via our XML Alias Gateway API to tokenize on-the-fly.
      I want to do a PCI audit – How can PCI Proxy help? If you are planning to certify yourself by a PCI auditor, PCI Proxy can provide the PCI infrastructure to you. As a service provider, it will reduce your SAQ D or On-Site audit tremendously. Contact us for details.

      Ready to simplify your PCI compliance?

      Contacts us for your free developer account.