Hosted PCI FAQ
Is HostedPCI a Payment Processor or Gateway?
No, HostedPCI is not a payment gateway, we work with many payment gateways to facilitate payment processing. The complete updated list is available at www.hostedpci.com. HostedPCI acts like a proxy to the payment gateway to inject real credit card data in the place credit card tokens.
What is a Credit Card Token?
Within HostedPCI, a credit card token is a number that looks like a credit card number but is not actually a real credit card. The first four and last four digits of a credit card token match those of a real
credit card; however, the middle eight digits do not match. If a token is exposed or lands in the wrong hands, there is no way to get back to the real credit card number from the token itself.
What core services does HostedPCI offer?
HostedPCI is focused on only 1 goal: Credit Card Security. We provide our customers with the cloud-based tools required to capture, store, and process payments securely, with 100% PCI compliance. We do all of this while taking on the liability for any credit card security breach.
What e-Commerce system/shopping carts does HostedPCI work with?
In general, HostedPCI can work with any e-commerce shopping cart. We have a simple IFRAME plugin module that can be implemented quickly. We have pre-built integrations with Magento, Drupal Commerce and have API’s available for Java, C#/.Net, PHP, Web Services, and any system that can make an HTTPS call.
How is HostedPCI integrated to my shopping cart / e-Commerce environment?
If you are using a pre-integrated shopping cart solution like Magento, the integration process is simple. We will provide you with a Module and installation instructions that will include some configuration steps. For
more complex environments, we offer a complete front-end and web services API that can be used in programming languages such as Java, .net, PHP, Ruby on Rails, etc. Contact us to get our API documentation.
What browsers are compatible with the HostedPCI iFrame solution?
The HostedPCI IFRAME works with all modern browsers including Internet Explorer 6 and above, Firefox 3 and above along with most versions of Safari, Opera, and Chrome.
Do my customers see any change on their credit card statement?
Absolutely not. If you are processing credit cards currently, the customer experience will remain the same.
Does HostedPCI have an Interface for mobile applications?
There is not a specific mobile application however the HostedPCI iFrame works well across all platforms including iPhone/IOS and Android browsers.
Can I switch payment processors If I work with HostedPCI?
Absolutely, this is one of the major benefits of using HostedPCI to perform your credit card tokenization. You are not locked into a payment gateway, processor, or tokenization scheme to HostedPCI. Your payment gateway credentials can be switched on the fly, without loss of data or transaction processing.
Can I use my existing fraud protection system for AVS and other fraud checks?
Yes, if you are currently using your payment gateway for fraud detection services, those functions will still be available to you. If you would like to enhance your fraud systems, give us a call and we will discuss pre-integrated options available.
How do refunds work?
Your refund process should not change, the HostedPCI API allows for authorization, sale, credit, and void operations. Your application will be able to submit these transactions using Credit Card Tokens or a previously obtained authorization code.
Can customers have multiple stored credit cards using HostedPCI?
Yes, absolutely because our tokens look like credit cards, they can be stored freely in the shopping cart or e-commerce database. Simply mask out the 8 middle digits of the token and allow the customer to choose
the preferred card to make payment. The token will be converted by HostedPCI at the time of Authorization or Sale. This is a best practice that will greatly enhance the consumer experience.
Can I perform re-occurring billing using HostedPCI?
Yes, the credit card token can be used multiple times to charge the real credit card every month, for example. Re-occurring billing can be implemented easily with HostedPCI.
Is HostedPCI on the visa PCI DSS service provider list?
HostedPCI has been Level 1 PCI Compliant for 5 years. You can find us on the Visa list here: Visa’s Global Registry of Service Providers – PCI DSS Validated Entities
Why Can’t I Just Use PayPal or a 3rd Party Hosted Checkout Page?
You could, but… do you want to send your hard-earned customers somewhere else to enter their credit card information? Did you know that the final step of checkout is the place where you can potentially lose the most customers? This is what we call shopping cart abandonment, and it’s a huge problem for online retailers. The HostedPCI solution was designed to allow merchants to keep their customers in their checkout, giving merchants total flexibility.
My Payment gateway is Offering me tokenization, Why Should I Use HostedPCI?
Where do we start, most payment vaults and tokenization solutions only cover the secure storage requirements for PCI compliance. The credit card data still has to be collected by your system, and that means your system is in scope for PCI compliance. We estimate that storing credit cards securely only covers 25% of the PCI Data Security Standard. That means you will still have to deal with 75% of the problem. Also, once you start using a payment vault, you are tied to that tokenization solution and the gateway providing it. HostedPCI is gateway neutral, which means you are not tied down. Nobody wants to be tied down.
Is PCI Compliance a Big Deal? Can’t I Just Do it Myself?
You certainly can obtain PCI compliance yourself, but it’s a big deal. Ask folks that have gone through it (we have many times). Information Technology professionals will tell you that obtaining PCI compliance is no easy task. There are over 200 questions in the SAQ (Self Assessment Questionnaire). Each question must be answered in the affirmative (yes) to achieve PCI compliance.
Do I Still Need to Go Through a Network Vulnerability Scan if I Use HostedPCI?
Technically no, we handle all of that for you. However, it might be a good idea to perform the scan anyway to be sure that there are no vulnerabilities on your website that could cause a nuisance (like
What do I need to get Started With Processing Payments Online?
You will need to do the following things:
- Get a Merchant Account from your Bank or Financial Institution
- Chose a Payment Gateway that you want to work with (we can recommend one based on your business)
- Link your payment gateway to HostedPCI
- Install the HostedPCI Module and test
- You are done!
If you are not sure about these steps, don’t worry we can walk you through the process. Contact Us to get more details.
How often do I Have to obtain PCI compliance?
You must obtain PCI compliance once every year. If you are using our service, we will provide you with an updated AOC (Attestation of Compliance) annually.
What happens if I obtain PCI Compliance Myself and a Breach Occurs?
If you don’t use a service like HostedPCI and a breach occurs on your website or in your environment, your financial institution will initiate a forensic audit. At that point, specialists will be assigned to investigate your breach and look at your PCI compliance process. If for whatever reason, you are not totally PCI compliant; your business is liable for the security breach. This could mean fines anywhere from $100 to $300 for every credit card that is stolen/breached from your system. This is the risk that HostedPCI removes for our customers.
What Is Your Uptime Guarantee (Service Level Agreement)?
We currently guarantee an uptime of 99.9%
Does HostedPCI have 24x7 technical support?
Yes, when you get started with HostedPCI you will be provided with a 24×7 technical contact email and phone number.
Does HostedPCI Provide both staging and production environments?
Yes, when you start working with our solution, you will be given access to both Staging/QA and Production sites. The staging site can be used when making modifications to your site so that real transactions are not at risk.
Can we still use our stored tokens if we switch to a different payment processor?
Yes, our tokens are universal meaning they can be used across all of the payment processors that we work with.
What information do I need to provide HostedPCI in order to set up the payment gateway?
The information needed to integrate with a payment gateway is different depending on the gateway being used. Please visit our gateway page to determine what information is required for integration.
When opening an account with HostedPCI and I support multiple different clients will all the credit cards be stored together?
No, if you have clients that accept separate credit cards and need separate tokens our HostedPCI vault can store multiple different profiles, 1 for each client. This allows clients to use different payment gateways and currencies if they choose to.
When opening an account with HostedPCI and I support multiple different clients, will all the credit cards be stored together?
No, our HostedPCI vault allows clients to separate their customers based on gateway, country or currency. This is done by creating different profiles within our vault depending on your business needs.
Is the CVV number required for all transactions?
The CVV number is required for fraud purposes but is not mandatory for credit card processing. In order to disable the CVV you need to call your gateway for assistance and they can disable the CVV for reoccurring payments.
Does HostedPCI provide tokens for CVV?
No, based on the PCI DSS standards companies are not allowed to store CVV codes permanently. HostedPCI only stores the CVV number for 20mins in short term memory, this allows for the first transaction to be processed with the CVV.
If our vendor’s customers want to purchase items from 2 different vendors that are using 2 different payment gateways can we use the same token for each transaction?
Yes, the same token can be used for both transactions since your account will be connected to the same vault where all credit cards are stored. You will have to make 2 different API calls one for each transaction however the same token can be used for both transactions
Once ready how do we complete an end to end test with a real payment gateway?
When you are ready to proceed with our services we will set you up with a staging and live account with the credentials of your current payment gateway. Once we have the payment gateway credentials we will set up 2 different profiles, 1 for staging and 1 for live.
How many times can we do a capture after a single auth?
This typically depends on the payment processor that the client is using. Some processors allow for partial captures, so if you made an auth transaction for $100, you could do a partial capture for $30 and then another partial capture for $70, third time is not going to work because you used all the allocated funds. But again, it depends on the payment processor, they may or may not allow partial capture. Most processors these days limit you by the original transaction, so if you did an auth or sale for $100, that’s the only amount you have access to. If you made a sale for $100, you cannot do credit for $200.Those are actually posted 9/11 rules to prevent transferring funds to terror organizations.