Skip to content

    Introducing the PCI Blueprint

    introducing the PCI blueprint

    The more control and access organizations have over their data, the faster they can ship, innovate, and react. But, because of the burdens that come with PCI, we’ve seen teams struggle to use their cardholder data to achieve this kind of agility. This makes it difficult to add or leave their payment service providers (PSP) and unlock new partnerships, products, and insights. 

    It’s understandable. Cardholder data is a nightmare. Standing up a PCI infrastructure can take months, with annual PCI assessments costing anywhere from $20,000 to over $500,000. More importantly, these investments add little value to a company’s core product. 

    This is where tokenization can help. By generating and using tokens to replace cardholder data in your environment, tokenization reduces or eliminates PCI scope from an organization’s systems while maintaining its ability to collect card data, facilitate payment processing, or search Primary Account Numbers (PAN), and much more.

    If companies want to own and use cardholder data without handcuffing themselves to a PSP, they’ll need a simple, affordable, and quick path to doing so. 

    Breaking down a PCI Blueprint

    A PCI Blueprint provides an organization with the PCI infrastructure it needs to collect, store, and send cardholder data to a PSP, including:

    • A PCI Level 1 cardholder environment for securing payment information; 
    • Customizable UI components for capturing (or revealing) cards within your application;
    • Token properties and capabilities for unlocking multiple different payment operations (e.g. searching, deduplication, and more);
    • Dynamic proxy service to routing payment information to and from PSPs; and
    • Access controls to control access to your sensitive information 

    To “easy button” this, the PCI Blueprint’s documentation provides working code samples and an example application, allowing developers to spin up a cardholder infrastructure in less time than it takes to run your daily standup. 

    View the PCI Blueprint developer guide.

    Let’s take a closer look at some of the concepts powering a PCI Blueprint.

    Templates: Build-to-spec or build-to-suit, fast

    Basis Theory’s platform abstracts the hard stuff, like encryption, PCI controls, and key management, while allowing developers to tailor almost any aspect of their implementation. While that flexibility ensures you have the level of control you need today (or tomorrow), it can also be overwhelming for developers unfamiliar with PCI compliance requirements. So how do you fast-track the implementation of such a flexible offering without being a compliance expert yourself? 

    We’ve preconfigured the primary components that make up a Basis Theory card implementation. The best thing about these Templates is that they are configurable, giving developers a powerful foundation to further tailor their implementation. 

    Maintain existing operations or unlock new ones with Basis Theory Services

    Locking up cardholder data is easy; using it without exposing yourself to PCI scope is hard. We’ve built several services to help. 

    Route and transform payment data with any endpoint using Proxy

    Companies need a way to route cardholder information to and from the Basis Theory environment. Proxy, a service used to send, receive, and transform payloads to and from any processor (or endpoint, for that matter), allows developers to seamlessly inject Basis Theory into their existing payment stack or add new PSPs—all without disrupting internal or external operations. 

    Proxy can also run detokenization, tokenization, and transformation operations against the cardholder data inside Basis Theory’s environment. This makes it ideal for tokenizing incoming PANs from third parties, migrating data between databases with two different schemas, or manipulating data before sending it to another endpoint. 

    Search and deduplicate cardholder data without decrypting it

    Whether you’re building a customer service support tool or a loyalty application, you’ll likely need portions of the raw PAN to enable business operations. For example, an application may need to use a PAN’s last 4-digits to confirm a purchase or identify a shared credit card used by multiple family members. 

    Developers can support these and many other operations by defining a token's properties, like its Containers, Search Indexes, and Fingerprint properties and using Basis Theory’s Search and Deduplication services available via its web portal or API—all without decrypting the underlying value.

    Need to go the extra mile with PCI Level 1 compliance?

    PCI Level 1 is the highest and most cost-intensive tier of PCI compliance. While many organizations using PCI Blueprint won’t require this level of compliance, there are many reasons you may need or want to earn PCI Level 1 certification. Fortunately, Basis Theory provides organizations with the infrastructure and controls needed to satisfy nearly 95% of the PCI Level 1 controls assessed by QSAs during an assessment.  

    Need to go faster? That’s where our partners at Secureframe can help. Secureframe provides an all-in-one platform for managing, automating, and tracking the governance, risk, and compliance (GRC) tasks and artifacts needed to achieve and maintain compliance. 

    Audits are another area where Basis Theory and Secureframe can help. Typically, systems analysis and evidence gathering can take months of back and forth before a company receives its AOC from a Qualified Security Assessor (QSA). By partnering with QSA firms, like Prescient Security, to familiarize them with our platforms, we’ve begun helping organizations receive their AOCs faster and for less cost. It’s never been faster, simpler, and more affordable to prove your security and compliance posture. 

    Learn more about our partnership with Secureframe.

    How to get started?

    If you’re an engineer, here’s the recommended order of operations: 

    1. Sign up for free. In less than 30-seconds, you’ll have your own PCI Level 1 environment. 
    2. Follow the PCI Blueprint. Follow the guide, working code samples, and example application to get a compliant solution stood up in as little as 5 minutes. 
    3. Join our Slack community. Ask questions, give feedback, or request new features or capabilities in our growing Slack community. 

    If you’re on the non-technical side, let us help with your discovery. We can provide simple and immediate answers you might have regarding the platform and our partnerships. 

    Stay Connected

    Receive the latest updates straight to your inbox