Get started
Tokenize cardholder data with the Commerce Web SDK in a PCI/DSS-compliant way.
Network tokens
Use network tokens from card schemes with Commerce.
Compliance proxy
Forward token data to your payment service provider securely.
Easy compliance
In general you have to handle card payments in a PCI/DSS compliant way. This means there is no way around it, but you can make it much easier if you follow this general advice:- Make use of managed solutions like our Web SDK such that you can accept card payments without having to touch the card data.
- Ensure Transport Layer Security (TLS) for all payment pages.
- Assess your PCI compliance yearly using a Self-Assessment Questionnaire (SAQ) which are provided by the PCI Security Standards Council.
SAQ A compliance
Our SDKs are designed to be used in a way that you can achieve SAQ A compliance. This is the easiest way to be PCI/DSS compliant. You can use our SDKs to accept card payments without having to touch the card data. We handle the sensitive data and exchange it for a non-sensitive token, which you can safely store and use to charge the card.SAQ D compliance
If you are SAQ D PCI/DSS compliant, you can also send us cardholder data in raw format. Still, you don’t have to worry about storing the cardholder information and we will provide you with the same convenient token in exchange.Commerce token features
In contrast to many simple tokens, Commerce tokens are not just a non-sensitive replacement but offer a rich feature-set themselves.Card metadata
For certain use cases, understanding more about the card itself or the issuing bank can be crucial. Commerce tokens are enriched with comprehensive metadata that provides insights such as whether the card is a consumer or commercial type, along with other relevant attributes. This information enables more informed decision-making and helps tailor processing strategies based on card characteristics. For a detailed list of available metadata and usage examples, please consult our API Reference.Network tokens
Many major card schemes, such as Visa and Mastercard, offer the ability to tokenize cardholder data using tokens provisioned directly by the network. These network tokens not only enhance security but also improve transaction approval rates and are essential for enabling device-based payment experiences, including mobile wallets and in-app payments. When your account has network token provisioning enabled, the tokens are automatically requested and managed whenever a new Commerce token is issued. This process ensures seamless integration with the card schemes and reduces the complexity of managing token lifecycles manually.Reach out to your Commerce support representative to learn more about network tokens and how to make use of them.
Account updates
Especially for the use in business models with recurring payments, expired or replaced card information often generates unnecessary friction. Commerce supports an automatic account update process with major card schemes, to replace the underlying card data automatically or upon request.Reach out to your Commerce support representative to learn more about account updates and how to make use of them.
Tokenization
Tokenization is the process of converting the sensitive cardholder data into a non-sensitive Commerce token. This enables PCI/DSS-compliant processing and a high level of security for your card payments. In order to explain how tokenization works, we need to distinguish between SAQ A and SAQ D compliance levels (see PCI Compliance).For SAQ A compliance
The majority of our customers fall into this category. If you are SAQ A compliant, you can use our SDKs to tokenize cardholder data. The process of using the SDKs is, in general, identical across all SDKs we provide. It consists of these steps:- Server Side: Session Creation
- Client Side: Session Initialization
- Client Side: Tokenization