Security & Compliance
PCI DSSPCI DSS への直接リンク
Card data is forwarded via the partner's PSP Forward API (a gateway-to-gateway transfer) and never enters partner servers directly:
- Partners continue to qualify for SAQ-A. No change to PCI DSS scope.
- Rokt's endpoint is PCI DSS Level 1 compliant. Card data is handled in volatile storage and auto-purged after processing.
- For Apple Pay, PayPal, and Google Pay, card data is tokenized by the respective payment provider and never touches partner or Rokt servers in raw form.
Data privacyData privacy への直接リンク
- Email & shipping address: Provided to the Rokt Catalog brand (MoR) only when the customer explicitly opts in to the purchase, for fulfillment purposes.
- Card data: Forwarded card details are auto-purged from Rokt's volatile storage within 60 minutes. Never stored persistently.
- Consent: The customer is made explicitly aware they are engaging with a separate merchant. The Rokt placement clearly identifies the brand.
Security mitigationsSecurity mitigations への直接リンク
| Concern | Mitigation |
|---|---|
| PCI DSS scope | Partner continues to qualify for SAQ-A. Card data never enters partner servers. Forward API is vault-to-destination. |
| Token expiry | Payment forwarding tokens are valid for a single transaction with an explicit expiry. Cannot be reused. |
| Volatile storage | Forwarded PAN/CVV are auto-purged from Rokt's environment after 60 minutes. Never written to persistent storage. |
| IP restriction | Partners should restrict the payment forwarding API endpoint to Rokt's static IP addresses. |
| Revocation | Partners can revoke all active Forward API grants immediately via their PSP's Control Panel. |
| Authentication | Server-to-server communication uses OAuth 2.0 with short-lived tokens. |