API / iFrame Implementation

Encryption, simply put, is taking a known piece of data and locking it up so that the data can only be retrieved with a key. In more technical terms, encryption uses an algorithm and a key to take the data and make it unreadable. Of course, this key must be controlled, typically called key management, to keep the data safe. If your data is “123,” and you encrypt the data with key “ABC,” resulting in “98zy65x,” and protect the key properly, all an attacker will be able to see is 98zy65x, which is useless to them.

Encryption, simply put, is taking a known piece of data and locking it up so that the data can only be retrieved with a key. In more technical terms, encryption uses an algorithm and a key to take the data and make it unreadable. Of course, this key must be controlled, typically called key management, to keep the data safe. If your data is “123,” and you encrypt the data with key “ABC,” resulting in “98zy65x,” and protect the key properly, all an attacker will be able to see is 98zy65x, which is useless to them.

The use of an iFrame allows ShieldConex customers to outsource the capturing of sensitive data, in a scenario where the end-user sends its data directly to Bluefin for tokenization without traversing the customer’s production systems. This allows for greater scope (and therefore risk) reduction of the Page customer environment as no sensitive data is ever handled by those front-end systems in terms of transmission, processing or storage. The responsibility for the capture and encryption of this data rests with Bluefin as a Tokenization Service Provider.

The use of iFrame Forms in the capture of data means that once the end-user enters the data to a data capture form, the sensitive data is sent directly to Bluefin’s servers for tokenization and only the tokenized data need be received by the partner. This removes the transmission, processing and storage of the sensitive data elements from the partner environment and Bluefin effectively acts as a tokenization service provider without the need to store its own copy of the tokenized data. Neither the partner organization nor Bluefin possesses the original clear text data.

The iFrame is specifically intended to capture  data entered by a person into a web form. Typically, when PCI data is captured on a website, this brings the site into PCI scope, requiring additional work to make it PCI DSS compliant. With the iFrame, Bluefin hosts the data capture and is responsible for maintaining a PCI DSS compliant site, thereby reducing the time and effort required to implement PCI data capture.

If you’re capturing data in a web form, but have strict controls and requirements for the user interface, then API tokenization allows you to maintain full control over the user interface. However, the additional overhead of maintaining compliance should be considered.

If you need to tokenize data that is not being manually entered, then API tokenization is the right solution for you.

ShieldConex is a “vaultless” token solution, so the actual data is never stored in a “vault” or database. Secured data can be unmasked at any time by calling the ShieldConex service using your assigned API key

ShieldConex is an entirely cloud-based product that leverages APIs and secure iFrames configured through our ShieldConex Manager administration portal. Bluefin will provide access to the ShieldConex APIs, login credentials to ShieldConex Manager, and online integration documentation. We also provide integration assistance as needed to get your organization live with ShieldConex in a timely and successful manner.