PCI compliance is hard. Hard, expensive and time consuming. Third party subscription and billing vendors have attempted to remove as much of the burden of PCI compliance from their customers but one barrier remains – any business that wants to allow customers to enter their credit card details in their own site, and in familiar surroundings, still has a PCI burden because of the credit card details entered into their site. In an effort to remedy ulcers and late nights for vendors (or their PCI compliance people at least) Vindicia (see disclosure) has decided to do something about it.

They’ve today announced their Hosted Order Automation (HOA) capabilities. By using HOA, online merchants are able to completely offload PCI compliance to Vindicia while maintaining control over their customers’ buying experience. HOA allows merchants to accept credit cards on their own order pages without ever touching a credit card and subjecting themselves to PCI regulations.

What HOA does (beyond the press release hype) is to create a secure tunnel between a field within a vendors credit card form, and Vindicia’s own servers. In effect when a customer enters their credit card number, they are doing so within a Vindicia form field, but on the vendor’s own page. HOA requires only a code snippet within the page so existing customization and styling is retained and customers have a seamless on-site experience. The transactions progresses like this:

  1. Consumers visit the vendor’s website and want to make a purchase or update their payment method.  As they request the page, a call is made to CashBox that contains the function being used and the IP address of the customer.
  2. CashBox creates a secure session that allows customer payment information to be submitted directly.  The customer continues to enter their data into the form fields on the page as they would normally. For additional security, the session will time out after a pre-configurable amount of time.
  3. Once the customer submits their information, it is sent directly to CashBox and bypasses the vendor’s servers altogether. CashBox validates the IP address as an additional security measure and stores the customer data and payment information with the requested action.
  4. The customer is redirected to the results page by CashBox. As the redirect loads, the successful receipt of customer information is returned. Once the vendor’s servers receive this information, another call to CashBox is made requesting the actions be performed (e.g., fraud screening, authorization, tokenization, new account signup, payment capture or update).
  5. The success or failure of the requested action is passed back to the vendor’s server upon completion, with all of the necessary information (results, tokenized payment method, etc…) to display a detailed confirmation message to the customer on the results page.

Or if you much prefer a purty picture, like this:


Hosted Order Automation is available immediately as part of the Vindicia CashBox solution. Wait and see how the competition reacts…

CloudAve is exclusively sponsored by
Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

1 Comment
  • A merchant can NEVER completely offload PCI compliance matter. Someone needs to read the PCI DSS a bit more closely…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.