Skip to main content
You can request an export of PCI tokens that are stored on our systems. Requests are performed only after review and approval. Once approved, the resulting dataset is delivered as a PKI-encrypted .tgz archive via a time-limited download link to the requesting party.

Prerequisites

Certificate Requirements

For encryption, you must provide an X.509 certificate (PEM) containing the recipient’s public key. We accept recipient certificates only if all of the following criteria are met:
Use a dedicated certificate and key pair specifically for token export decryption, separate from TLS or general-purpose certificates.

Step-by-Step Process

1

Step 1 – Submit an export request

Submit an export request via your designated contact channel including:
  • Legal organization name
  • Cluster ID
  • Intended use case of the exported data
  • Attestation of PCI compliance
  • Scope (time range, system/batch, filters)
  • Recipient (team/service and responsible contact)
  • Point of contact for follow-up questions
Use a dedicated certificate and key pair specifically for token export decryption, separate from TLS or general-purpose certificates.
2

Step 2 – Provide the recipient OV certificate

Provide your recipient certificate in PEM format (Base64, including header and footer). The certificate must contain the public key used for encryption.
Never send private keys, passphrases, or HSM access details.
3

Step 3 – Review and approval

We perform two independent checks:
  • Certificate validation: trust chain, validity period, revocation status, key usage / extended key usage, and organizational identity
  • Authorization review: intended use, contractual scope, and applicable compliance requirements
Once all checks are successfully completed, the export is approved and scheduled. If any issues are identified, we will contact you with specific remediation steps.
4

Step 4 – Export and PKI encryption

After approval, the dataset is exported from the relevant system and packaged as a compressed .tgz archive. The archive is then encrypted using your provided OV certificate.
Only the holder of the corresponding private key can decrypt the exported archive.
5

Step 5 – Delivery via download link

The encrypted .tgz archive is made available via a download link sent to the requester (or the designated contact specified in the request).The download link is:
  • Time-limited (expiration communicated separately)
  • Auditable (request ID, timestamp, delivery record)
6

Step 6 – Download, decryption, and internal handling

Download the encrypted archive and perform decryption and extraction using your internal tooling and security controls.
Decryption, validation, and secure processing of the exported data are the responsibility of the receiving organization.
Confirm that decryption succeeds, that the dataset matches the requested scope, and that internal controls for handling the data are in place before wider distribution.
7

Step 7 – Storage and retention

Store and process the decrypted dataset in accordance with:
  • Your internal security policies
  • Applicable regulatory and compliance requirements
  • Contractually agreed retention and deletion rules

Export Data Format

The exported .tgz archive contains a manifest JSON file and encrypted JSONL records containing the PCI token data.

Encryption Details

The export uses a hybrid encryption scheme:
  1. AES encryption is used to encrypt the JSONL records file
  2. The AES key is encrypted using RSA-OAEP-256 with your provided OV certificate’s public key
  3. The encrypted AES key, initialization vector (IV), and authentication tag are stored in the manifest

Manifest Format

The manifest.json file contains metadata about the export and encryption parameters:

Record Format

The records.jsonl.enc file contains encrypted JSONL (JSON Lines) data. After decryption, each line is a JSON object representing a PCI token record. Each record follows the PCI token payload structure with the following differences:
  • The account_number field contains the unmasked full account number (instead of masked_account_number)
  • All other fields match the standard PCI token API response format
  • Metadata is included if present

Decryption Process

To decrypt the export:
  1. Extract the .tgz archive
  2. Read manifest.json to obtain encryption parameters
  3. Decrypt the AES key using your private key
  4. Use the decrypted AES key, IV, and tag to decrypt records.jsonl.enc
  5. Verify the checksum in the manifest matches the decrypted content
  6. Process the JSONL file line by line (each line is a complete JSON object)

Common Issues & Troubleshooting

A raw public key without a CA-issued certificate cannot be accepted. Please provide an OV (or higher) X.509 certificate containing the public key.
DV certificates do not provide organizational identity validation and are therefore not sufficient. Please use an OV or EV certificate.