Skip to main content

Tokens

Merchants who accept card payments must comply with the Payment Card Industry Data Security Standard (PCI DSS). This standard is a set of security requirements designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Starfish GmbH & Co. KG is a PCI DSS Level 1 Service Provider. This is the highest level of certification available in the payments industry. Find the Attestation of Compliance (AoC) in our trust-center.

Easy Compliance

In general you have to handle card payments in a PCI/DSS compliant way. This means there is no way around it, but you can make it much easier if you follow this general advice:

  1. Make use of managed solutions like our Web SDK such that you can accept card payments without having to touch the card data.
  2. Ensure Transport Layer Security (TLS) for all payment pages.
  3. Assess your PCI compliance yearly using a Self-Assessment Questionnaire (SAQ) which are provided by the PCI Security Standards Council.

We offer two ways to make PCI compliance easy for you:

SAQ A Compliance

Our SDKs are designed to be used in a way that you can achieve SAQ A compliance. This is the easiest way to be PCI/DSS compliant. You can use our SDKs to accept card payments without having to touch the card data. We handle the sensitive data and exchange it for a non-sensitive token, which you can safely store and use to charge the card.

SAQ D Compliance

If you are SAQ D PCI/DSS compliant, you can also send us cardholder data in raw format. Still, you don't have to worry about storing the cardholder information and we will provide you with the same convenient token in exchange.

Hellgate® Token Features

In contrast to many simple tokens, the Hellgate® Tokens are not just a non-sensitive replacement but offer a rich feature-set themselves.

Card Metadata

For certain use cases, understanding more about the card itself or the issuing bank can be crucial. Hellgate® Tokens are enriched with comprehensive metadata that provides insights such as whether the card is a consumer or commercial type, along with other relevant attributes. This information enables more informed decision-making and helps tailor processing strategies based on card characteristics. For a detailed list of available metadata and usage examples, please consult our API Reference.

Network Tokens

Many major card schemes, such as Visa and Mastercard, offer the ability to tokenize cardholder data using tokens provisioned directly by the network. These network tokens not only enhance security but also improve transaction approval rates and are essential for enabling device-based payment experiences, including mobile wallets and in-app payments.

When your account has network token provisioning enabled, the tokens are automatically requested and managed whenever a new Hellgate® Token is issued. This process ensures seamless integration with the card schemes and reduces the complexity of managing token lifecycles manually.

info

Reach out to your Hellgate® support representative to learn more about network tokens and how to make use of them.

Account Updates

Especially for the use in business models with recurring payments, expired, or replace card information often generates unnecessary friction. Hellgate® supports an automatic account update process with major card schemes, to replace the underlying card data automatically or upon request.

info

Reach out to your Hellgate® support representative to learn more about account updates and how to make use of them.

Tokenization

Tokenization is the process of coverting the sensitve cardholder data into a non-senstive Hellgate® Token. This enables PCI/DSS-compliant processing and a high level of security for your card payments.

In order to explain how tokenization works, we need to distinguish between SAQ A and SAQ D compliance levels (see PCI Compliance).

For SAQ A Compliance

The majority of our customers fall into this category. If you are SAQ A compliant, you can use our SDKs to tokenize cardholder data. The process of using the SDKs is, in general, identical across all SDKs we provide.

It consists of these steps:

  1. Server Side: Session Creation
  2. Client Side: Session Initialization
  3. Client Side: Tokenization

Along the lifecycle of the tokens, you can subscribe to notifications to stay informed about token changes.

Find our get started guide to learn how to tokenize cardholder data using our SDKs.

For SAQ D Compliance

If you are a SAQ D compliant, instead of using our SDKs, you can also send us cardholder data in raw format on the API. Hellgate will, in this case, exchange the cardholder information directly into a Hellgate® Token.

For further details, consult our API reference to learn how to create token from FPAN.

curl
--request POST
--url https://sandbox.hellgate.io/cde-import
--header 'content-type: application/json'
--data '
{
"cardholder_name": "John Doe",
"expiry_month": 4,
"expiry_year": 2033,
"account_number": "4242424242424242",
"security_code": "123"
}