Security & Compliance
PCI DSSDirect link to PCI DSS
Card data is forwarded via the partner's PSP Forward API (a gateway-to-gateway transfer) and never enters partner servers directly:
- Partners continue to qualify for SAQ-A. No change to PCI DSS scope.
- Rokt's endpoint is PCI DSS Level 1 compliant. Card data is handled in volatile storage and auto-purged after processing.
- For Apple Pay, PayPal, and Google Pay, card data is tokenized by the respective payment provider and never touches partner or Rokt servers in raw form.
Data privacyDirect link to Data privacy
- Email & shipping address: Provided to the Rokt Catalog brand (MoR) only when the customer explicitly opts in to the purchase, for fulfillment purposes.
- Card data: Forwarded card details are auto-purged from Rokt's volatile storage within 60 minutes. Never stored persistently.
- Consent: The customer is made explicitly aware they are engaging with a separate merchant. The Rokt placement clearly identifies the brand.
Security mitigationsDirect link to Security mitigations
| Concern | Mitigation |
|---|---|
| PCI DSS scope | Partner continues to qualify for SAQ-A. Card data never enters partner servers. Forward API is vault-to-destination. |
| Token expiry | Payment forwarding tokens are valid for a single transaction with an explicit expiry. Cannot be reused. |
| Volatile storage | Forwarded PAN/CVV are auto-purged from Rokt's environment after 60 minutes. Never written to persistent storage. |
| IP restriction | Partners should restrict the payment forwarding API endpoint to Rokt's static IP addresses. |
| Revocation | Partners can revoke all active Forward API grants immediately via their PSP's Control Panel. |
| Authentication | Server-to-server communication uses OAuth 2.0 with short-lived tokens. |