PCI Token Export

Token exports contain security-sensitive information classified as cardholder data in terms of PCI DSS. All exports are provided as an encrypted archive and can only be decrypted using the corresponding private key. You must provide a valid recipient certificate; exports without a valid certificate are not possible.

Overview

You can request an export of PCI tokens that are stored on our systems. Requests are performed only after review and approval. Once approved, the resulting dataset is delivered as a PKI-encrypted .tgz archive via a time-limited download link to the requesting party.

Prerequisites

1 - Organization-validated recipient certificate (OV)

For encryption, you must provide an X.509 certificate (PEM) containing the recipient’s public key. The certificate must be Organization Validated (OV) or higher (e.g. EV).

No raw public keys without a certificate
No self-signed certificates (unless explicitly agreed as part of a private PKI)
The certificate subject must include the organization (at minimum O and C)
The certificate must be valid and not revoked at the time of export

2 - Authorization and compliance requirements

In addition to cryptographic identity binding via an OV certificate, we verify that your organization is authorized to receive and process the exported data.

This may include contractual scope validation and, where applicable, compliance evidence (e.g. PCI-related attestations).

3 - Recipient technical readiness

Secure access to the corresponding private key (HSM or secure key store recommended)
Capability to decrypt PKI-encrypted archives internally
Ability to securely handle and store the decrypted dataset

Step-by-Step Process

Step 1 – Submit an export request

Submit an export request via your designated contact channel including:

Legal organization name
Cluster ID
Intended use case of the exported data
Attestation of PCI compliance
Scope (time range, system/batch, filters)
Recipient (team/service and responsible contact)
Point of contact for follow-up questions

Use a dedicated certificate and key pair specifically for token export decryption, separate from TLS or general-purpose certificates.

Step 2 – Provide the recipient OV certificate

Provide your recipient certificate in PEM format (Base64, including header and footer). The certificate must contain the public key used for encryption.

Never send private keys, passphrases, or HSM access details.

Step 3 – Review and approval

We perform two independent checks:

Certificate validation: trust chain, validity period, revocation status, key usage / extended key usage, and organizational identity
Authorization review: intended use, contractual scope, and applicable compliance requirements

Once all checks are successfully completed, the export is approved and scheduled. If any issues are identified, we will contact you with specific remediation steps.

Step 4 – Export and PKI encryption

After approval, the dataset is exported from the relevant system and packaged as a compressed .tgz archive. The archive is then encrypted using your provided OV certificate.

Only the holder of the corresponding private key can decrypt the exported archive.

Step 5 – Delivery via download link

The encrypted .tgz archive is made available via a download link sent to the requester (or the designated contact specified in the request).The download link is:

Time-limited (expiration communicated separately)
Restricted to a limited number of downloads (as agreed)
Auditable (request ID, timestamp, delivery record)

Step 6 – Download, decryption, and internal handling

Download the encrypted archive and perform decryption and extraction using your internal tooling and security controls.

Decryption, validation, and secure processing of the exported data are the responsibility of the receiving organization.

Confirm that decryption succeeds, that the dataset matches the requested scope, and that internal controls for handling the data are in place before wider distribution.

Step 7 – Storage and retention

Store and process the decrypted dataset in accordance with:

Your internal security policies
Applicable regulatory and compliance requirements
Contractually agreed retention and deletion rules

Certificate Acceptance Criteria

We accept recipient certificates only if all of the following criteria are met:

Requirement	Details
Certificate type	X.509 with OV or higher validation
Organization identity	Subject includes at least `O` (Organization) and `C` (Country)
Trust anchor	Issued by an approved public CA or an agreed private PKI
Validity	Certificate is within its validity period
Revocation status	Not revoked (CRL / OCSP or equivalent checks)
Key usage	Suitable for encryption

Common Issues & Troubleshooting

We only have a public key, not a certificate.

A raw public key without a CA-issued certificate cannot be accepted. Please provide an OV (or higher) X.509 certificate containing the public key.

Our certificate is Domain Validated (DV).

DV certificates do not provide organizational identity validation and are therefore not sufficient. Please use an OV or EV certificate.

The download link has expired.

Submit a new request referencing the original request ID. A new link can be issued after any required re-validation.

Testing

SDKs

Data Management

Overview

Prerequisites

Step-by-Step Process

Certificate Acceptance Criteria

Common Issues & Troubleshooting

Testing

SDKs

Data Management

​Overview

​Prerequisites

​Step-by-Step Process

​Certificate Acceptance Criteria

​Common Issues & Troubleshooting

Overview

Prerequisites

Step-by-Step Process

Certificate Acceptance Criteria

Common Issues & Troubleshooting