CardSecure® is a data encryption and tokenization solution that transfers incoming credit card data to a secure vault, encrypts it, and assigns it a token. The token, not the sensitive card data, is stored on your system, allowing the data to remain securely outside your ERP application. CardConnect was the first business to ever encrypt, tokenize, process, and store card data in this manner.

P2PE Diagram


Why Encryption and Tokenization?

When you hear in the news about data breaches affecting large, well-known companies, including retailers, home improvement stores, and banks, you realize the importance and urgency for a solution that protects your customers' personal and transaction data, your proceeds, your ability to stay PCI compliant, and your reputation. CardSecure provides this solution.

  • Protect You and Your Customers: CardSecure’s best-in-class tokenization technology and off-site vault keeps your customers’ information private and out of your system. If a breach ever does happen, the data stolen will be useless.
  • Security: Sensitive card data will never reside in your system because all encryption and storage takes place outside your systems.
  • CardConnect’s P2PE solution takes a business network and POS system completely out of PCI scope, which greatly reduces:
    • The cost of an annual audit
    • The possibility of the business falling victim to a breach
    • The size of the PCI questionnaire (from 300 questions to a mere dozen!) This greatly reduces the scope of your PCI compliance program since encryption meets PCI assessment targets for card data as well as state regulations for personal information.
  • Seamless Integration: The integration with CardSecure is straightforward and easy. Whether you use SAP, Oracle EBS, or something else entirely—we’ve got you covered.
  • Secure All Payment Types: All of your payment channels deserve the same security. Whether receiving transactions from the web, a call center, or a POS terminal, all data is encrypted and tokenized by CardSecure to ensure the highest security.
  • Can be used to store any data, not only credit cards. This is typically used to store Personally Identifiable Information (PII) such as Birth Date or Social Security Numbers.
  • Already have sensitive data stored in your system? We have tools to ease the migration process and convert your sensitive data into secure tokens.


  • Point-to-Point Encryption (P2PE): Upon swipe or card data input, the sensitive data is instantly encrypted. Your customer's credit card number will never be stored in your system and your customer’s data remains safe.
  • Irreversible, patented Tokenization: Our unique tokenization process is mathematically irreversible, offering your customers total protection from identity theft.
  • CardConnect tokens are “intelligent”, which means that they will comply with data integrity checks such as the Luhn test and those performed by various ERP systems.
  • CardSecure P2PE devices are malware-protected: If the system is compromised, the device is instantly disabled, preventing an attack from taking place.
  • CardConnect Vault: All encrypted card numbers are be stored in our 100% PCI compliant, cloud environment.
  • Full key management: CardSecure provides tools for the generation of Data Encrypting Keys, that can be managed using the application.
  • Token rollover: The system can “Rollover” encrypted data from an older Data Encrypting Key to a new one to avoid disruptions when a new key is used.
  • Supports storing any data type, including any Personally Identifiable Information (PII). We support Birth Date, Account Numbers, Social Security Number, and any other data through custom types.
  • Bulk Uploader and other Data Conversion are tools to help you migrate your legacy data into your new CardSecure tool.

System Components

As an end-to-end solution, CardSecure has multiple components:


A full P2PE solution starts with P2PE-compliant hardware. Cards are swiped or keyed on the device, which encrypts the card data before getting to your workstation. In this way, it completely removes the computer from PCI scope.

Server Integration

Businesses have the option of creating their own integrations with our APIs using:

  • HTTP/HTTPS interface
  • SSL socket interface

CardConnect provides several accelerators for integrating secure server calls in your applications:

  • SAP RFC interface
  • Oracle RFC interface

We also offer accelerators for tokenization based on input via PC Keyboard:

  • AJAX tokenizer: A JavaScript function that can be called by a Web page executing in the client’s browser, which can make a tokenization call to a CardSecure Server. Typically used in eCommerce settings.
  • Desktop Tokenizer: Software executable installed on the PC which accepts input via PC keyboard, calls CardSecure and returns token to Windows Clipboard. This tokenizer is typically used before data is entered into a back-end system, as it provides a token that resembles a card number and that is secure to store in the merchant side.

This setup is considered a step below in terms of security (as it puts the computer under PCI scope).

Tokenization & Vault Service

Tokenization and data storage in the CardConnect cloud is offered as a service.

Related Content