The developer toolbox for PCI compliance

PCI Proxy is a solid, yet flexible set of building blocks to craft lean and PCI-compliant payment flows. It takes care of PCI compliance for you, while you build your products.

The Inline Mode decouples card capture from authorization and settlement, rendering ugly payment page of your payment providers completely redundant.

A suite of modern tokenization APIs

Build beautiful, agile PCI-compliant front-ends


We set out to get rid of ugly hosted payment pages that often don’t fit within a merchants beautiful front-end and engineered the new Inline Mode — customizable, DOM-injected iframes to capture cards across all devices and qualify for SAQ A at the same time.

Read More

» Inline Mode comes with full CSS support and error handling to create nice checkouts in less time.

» With Inline Mode, upgrade legacy front-ends to PCI-compliance in no time with less code.

» Inline Mode gets your full stack out of PCI scope to ensure secure payments and eliminate PCI issues.

» The lightweight API transfers our entire PCI knowledge on front-ends directly into your hands.

A Suite of modern Tokenization APIs

Upgrade connected APIs with PCI-compliance in no time.

PCI Proxy gets your full stack out of PCI scope with just a few lines of extra code. Once added, it filters and tokenizes card data on-the-fly on any incoming payloads — e.g. booking data from channels like Booking.com, Expedia or Tripadvisor, and many more.

PCI Proxy supports PUSH/PULL communication and consumes everything you’ll ever send over https (XML, JSON, SOAP, QueryString, etc.). We even have sophisticated HTTPS to VPN or SFTP converter to save you time — just talk to us. With our Whitelabel add-on you can keep your existing API endpoints (api.your-domain.com) with while your full stack remains out of PCI scope.

curl https://sandbox.pci-proxy.com/v1/pull \
-H "X-CC-URL: https://pciproxy.mockable.io/secure-supply-xml-booking-com" \
-H "X-CC-MERCHANT-ID: 1000011011" \
-H "X-CC-SIGN: 30916165706580013" \
-H "Content-Type: text/xml" \
-d '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<request>
<username>pci-proxy</username>
<password>xGdk1Pco8</password>
<hotel_id>181337</hotel_id>
<id>731337</id>
</request>'
curl https://pciproxy.mockable.io/secure-supply-xml-booking-com \
-H "Content-Type: text/xml" \
-d '<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<request>
<username>pci-proxy</username>
<password>xGdk1Pco8</password>
<hotel_id>181337</hotel_id>
<id>731337</id>
</request>'

Universal Token Vault

Store credit cards payment gateway agnostic

ALL CREDIT CARDS SUPPORTED

Working with more than one payment gateway can be hard as you have to deal with different token formats. Our universal token format allows you to distribute payment data freely across gateways to prevent vendor lock-ins and build automatic payment failover.

Payment failover

One single token format allows you to distribute payment data across gateways.

Token by design

Tokens retain characteristics of card data to allow customer recognition.

Secure storage in Switzerland

Sensitive data is protected by military-grade crypto-processors on PCI Level 1.

Flexible Card Distribution

Distribute stored cards with full flexibility

Share with PCI-compliant Endpoints

Distribute stored payment data to any PCI-compliant API endpoint, e.g. Expedia, Amadeus, Sabre, etc.

Transact with Payment Gateways

Transact or share stored payment data directly with any payment gateway API, e.g. Stripe, Authorize.net, Adyen, etc.

Simple, powerful payment distribution

Build your request (e.g. Stripe Create Token, etc.), send it to PCI Proxy PULL API (1), add your credentials (3,4) and include a token (6). PCI Proxy automatically populates the payload with card data and forwards it to Stripe (2).

curl https://sandbox.pci-proxy.com/v1/pull \
 -H 'X-CC-URL: https://api.stripe.com/v1/tokens' \
 -H 'X-CC-MERCHANT-ID: 1000011011' \
 -H 'X-CC-SIGN: 30916165706580013' \
 -u sk_test_BQokikJOvBiI2HlWgH4olfQ2: \
 -d 'card[number]=424242SKMPRI4242' \
 -d 'card[exp_month]=12' \
 -d 'card[exp_year]=2018' \

Charge directly against acquiring banks and cut the middleman

Our scalable PCI infrastructure allows you to connect to over 30+ merchant acquirer with one API. Let your customers switch acquirers in minutes, not month.

Perfect for platforms and service provider

We believe in competition and allow you to choose freely among various acquiring banks to achieve the best price possible. With PCI Proxy Charge you can keep acquirer setups or switch for better conditions without writing extra code. Charge a card in a single, unified API call. The payment is processed against your configured merchant account.

Understanding the benefits

A payment gateway allows you to charge a customer’s credit card with the purchase he/she makes online — similar to a physical point of sale terminal. The payment gateway sends payment data to the payment processor which is the financial institution that sends transaction details to your merchant account.

The merchant account is basically an online bank account that will temporarily hold the merchants’ money until it is moved into the merchants’ actual bank account.

There are two different types of merchant accounts. Acquirer such as SIX, Ingenico, Authorize.net, etc. will get you a dedicated merchant account which allow you to negotiate custom rates (%) and payout cycles for your sales. Payment gateways such as Stripe, Braintree, etc. offer aggregated merchant accounts where your money gets dropped in a pool with other companies and don’t allow rate or payout cycle negotiations.

While an aggregated merchant account simplifies your onboarding when you are small, it will limit your choice later when you are big enough to receive better % rates on your payments. That is why larger merchants try to save money by getting their own merchant account.

See single credit card — PCI-compliant

Our purpose-built Show API allows authorized users to see full stored cards. A manual de-tokenizer iframe gives authorized users the opportunity to retrieve single credit cards in a PCI-compliant way.

Show API comes with language support, event listeners and customization options. 

Check stored card validity

Stored cards are often used to guarantee a service — PCI Proxy allows you to instantly verify at any time if a stored credit card is still valid with the Credit Card Checks add-on.


With a single API call, you can check the validity of a stored credit card. If successful, you can start from the premise that the credit card is valid. If not, just contact your customer and ask for clarification.

Verfiy credit card validity

Check if a stored card is still valid and can be used to charge a card or guarantee a service.

Reliable and without statement notice

We check against VISA & MC network without showing up on a consumer bank statement.

Frequently Asked Questions

What PCI Level do I possess with PCI Proxy? Your PCI scope is the lowest possible, allowing you to fill out the easiest Self Assessment Questionnaire A. However, you are entitled to show our PCI DSS Level 1 certificate (Attestation of Compliance) to your partners.
How does the token format look like? We support different token formats to keep your system changes as low as possible. Our most used token format is 4242 42AB CDEF 4242 which contains the first 6 and last 4 digits of the actual card number and keeps the length of the credit card number.
I’m PCI certified – Can I still use your storage vault? Yes, if you are PCI certified and just want to store your sensitive card data in our secure vaults in Switzerland, you can connect via our XML Alias Gateway API to tokenize on-the-fly.
I want to do a PCI audit – How can PCI Proxy help? If you are planning to certify yourself by a PCI auditor, PCI Proxy can provide the PCI infrastructure to you. As a service provider, it will reduce your SAQ D or On-Site audit tremendously. Contact us for details.

Ready to simplify your PCI compliance? Contacts us for your free developer account.