Hosted PCI FAQ

No, hostedPCI is not a payment gateway, we work with many payment gateways in order to facilitate payment processing. The complete updated list is available at www.hostedpci.com. HostedPCI acts like a
proxy to the payment gateway in order to inject real credit card data in the place credit card tokens.
Our list of supported payment gateways is always growing. Check here to see our list of supported
payment processors and gateways. 
Within HostedPCI, a credit card token is a number that looks like a credit card number but is not actually a real credit card. The first four and last four digits of a credit card token match those of a real
credit card; however the middle eight digits do not match. If a token is exposed or lands in the wrong hands, there is no way to get back to the real credit card number from the token itself. 
HostedPCI is focused on only 1 goal: Credit Card Security. We provide our customers with the cloud based tools required to capture, store and process payments securely, with 100% PCI compliance. We do all of this while taking on the liability for any credit card security breach. 
In general HostedPCI can work with any ecommerce shopping cart. We have a simple IFRAME plugin module that can be implemented quickly. We have pre-built integrations with Magento, Drupal Commerce and
have API’s available for Java, C#/.Net, PHP, Web Services and any system that can make an HTTPS call. 
If you are using a pre-integrated shopping cart solution like Magento, the integration process is simple. We will provide you with a Module and installation instructions that will include some configuration steps. For
more complex environments, we offer a complete front-end and web services API that can be used in programming languages such as Java, .net, PHP, Ruby on Rails, etc. Contact us to get our API documentation. 
The HostedPCI IFRAME works with all modern browsers including Internet Explorer 6 and above, Firefox 3 and above along with most versions of Safari, Opera and Chrome. 
Absolutely not. If you are processing credit cards currently, the customer experience will remain exactly the same. 
There is not a specific mobile application however the HostedPCI IFRAME works well across all platforms including iPhone/IOS and Android browsers.  
Absolutely, this is one of the major benefits of using HostedPCI to perform your credit card tokenization. You are not locked into a payment gateway, processor or tokenization scheme to HostedPCI. Your
payment gateway credentials can be switched on the fly, without loss of data or transaction processing. 
Yes, if you are currently using your payment gateway for fraud detection services, those functions will still be available to you. If you would like to enhance your fraud systems, give us a call and we will discuss pre-integrated options available. 
Your refund process should not change, the HostedPCI API allows for authorization, sale, credit and void operations. Your application will be able to submit these transactions using Credit Card Tokens or a previously obtained authorization code. 
Yes, absolutely because our tokens look like credit cards, they can be stored freely in the shopping cart or e-commerce database. Simply mask out the 8 middle digits of the token and allow the customer to choose
the preferred card to make payment. The token will be converted by HostedPCI at the time of Authorization or Sale. This is a best practice that will greatly enhance the consumer experience. 
Yes, the credit card token can be used multiple times to charge the real credit card on a monthly basis, for example. Re-occurring billing can be implemented easily with HostedPCI. 
Absolutely, Hosted PCI has been Level 1 PCI Compliant for 5 years. You can find us on the Visa list
here: Visa’s Global Registry of Service Providers – PCI DSS Validated Entities 
You could, but… do you want to send your hard earned customers somewhere else to enter their credit card information? Did you know that the final step of checkout is the place where you can potentially lose the most customers? This is what we call shopping cart abandonment, and it’s a huge problem for online retailers. The HostedPCI solution was designed to allow merchants to keep their customers in their checkout, giving merchants total flexibility. 
Where do we start, most payment vaults and tokenization solutions only cover the secure storage requirements for PCI compliance. The credit card data still has to be collected by your system, and that means your system is in scope for PCI compliance. We estimate that storing credit cards securely only covers 25% of the PCI Data Security Standard. That means you will still have to deal with 75% of the problem. Also, once you start using a payment vault, you are tied to that tokenization solution and the gateway providing it. HostedPCI is gateway neutral, which means you are not tied down. Nobody wants to be tied down. 
You certainly can obtain PCI compliance yourself, but it’s a big deal. Ask folks that have gone through it (we have many times). Information Technology professionals will tell you that obtaining PCI compliance is no easy task. There are over 200 questions in the SAQ (Self Assessment Questionnaire). Each question must be answered in the affirmative (yes) to achieve PCI compliance. 
Technically no, we handle all of that for you. However, it might be a good idea to perform the scan anyway to be sure that there are no vulnerabilities on your website that could cause a nuisance (like
downtime). 

You will need to do the following things:

  • Get a Merchant Account from your bank or Financial Institution
  • Chose a Payment Gateway that you want to work with (we can recommend one based on your business)
  • Link you payment gateway to HostedPCI
  • Install the HostedPCI Module and test
  • You are done!

If you are not sure about these steps, don’t worry we can walk you through the process. Contact Us to get more details.

You must obtain PCI compliance once every year. If you are using our service, we will provide you with an updated AOC (Attestation of Compliance) annually. 
If you don’t use a service like HostedPCI and a breach occurs on your website or in your environment, your financial institution will initiate a forensic audit. At that point, specialists will be assigned to investigate your breach and look at your PCI compliance process. If for whatever reason, you are not totally PCI compliant; your business is liable for the security breach. This could mean fines anywhere from $100 to $300 for every credit card that is stolen / breached from your system. This is the risk that HostedPCI removes for our customers. 
We currently guarantee an uptime of 99.9% 
Yes, when you get started with HostedPCI you will be provided with a 24×7 technical contact email and phone number.Yes, when you start working with our solution, you will be given access to both Staging/QA and Production sites. The staging site can be used when making modifications to your site so that real transactions are not at risk. 
Yes, our tokens are universal meaning they can be used across all of the payment processor that we work with. 
The information needed to integrate with a payment gateway is different depending on the gateway being used. Please visit our gateway page to determine what information is required for integration.
No, if you have clients that accept separate credit cards and need separate tokens our HostedPCI vault can store multiple different profiles, 1 for each client. This allows clients to use different payment gateways and currencies if they choose to.
No, our HostedPCI vault allows clients to separate their customers based on gateway, country or currency. This is done by creating different profiles within our vault depending on your business needs.
The CVV number is required for fraud purposes, but is not mandatory for credit card processing. In order to disable the CVV you need to call you gateway for assist they can disable the CVV for reoccurring payments.
No, based on the PCI DSS standards companies are not allowed to store CVV codes permanently . HostedPCI only stores the CVV number for 20mins in short term memory, this allows for the first transaction to be processed with the CVV.
Yes, the same token can be used for both transaction since your account will be connect to the same vault where all credit cards are stored. You will have to make 2 different API calls one for each transaction however the same token can be used for both transactions
When you are ready to proceed with our services we will set you up with a staging and live account with the credentials of your current payment gateway. Once we have the payment gateway credentials we will set up 2 different profiles, 1 for staging and 1 for live.
This typically depends on the payment processor that the client is using. Some processors allow for partial captures, so if you made an auth transaction for $100, you could do a partial capture for $30 and then another partial capture for $70, a third time is not going to work because you used all the allocated funds. But again, it depend on the payment processor, they may or may not allow partial capture.Most processors these days limit you by the original transaction, so if you did an auth or sale for $100, that’s the only amount you have access to. If you made a sale for $100, you cannot do credit for $200.Those are actually post 9/11 rules to prevent transferring funds to terror organizations.