To maintain PCI compliance and support merchants with existing PCI DSS Level 1 certification, Tonder provides PCI Compliant Raw Card Processing that allows direct processing of raw card data without tokenization. This approach eliminates the multi-step tokenization process while maintaining enterprise-grade security for qualified merchants.
For merchants with full PCI DSS compliance only.This approach allows you to send raw card data directly to Tonder without tokenization. Only use this if you are fully PCI DSS compliant.

Endpoints

There are two different endpoints for PCI compliant processing, one for testing and one for production:
EnvironmentEndpointPurpose
Testinghttps://process-sandbox.tonder.io/PCI compliant testing
Productionhttps://process.tonder.io/PCI compliant live transactions

Authentication

These are the required headers for the PCI compliant processing endpoints: 
Authorization: Token your_api_key
Content-Type: application/json
Use the same API token you can find on your Dashboard → Developers → API Keys → Public API Key.

PCI Compliant Request

A reques to the PCI compliant processing endpoints should have the following structure:
The following are some examples of requests using different languages: 
curl -X POST https://process-sandbox.tonder.io/ \
  -H "Authorization: Token 04fbdd63113c009b6ac14c7d230b13909ae11221" \
  -H "Content-Type: application/json" \
  -d '{
    "operation_type": "payment",
    "amount": 150.00,
    "currency": "MXN",
    "customer": {
      "name": "Ana María Rodríguez",
      "email": "ana.rodriguez@email.com"
    },
    "payment_method": {
      "type": "CARD",
      "card_number": "4444444444444455",
      "cardholder_name": "Ana María Rodríguez",
      "cvv": "123",
      "expiration_year": "26",
      "expiration_month": "07"
    },
    "client_reference": "order-789",
    "return_url": "https://mystore.com/payment/return"
  }'

Response Format

The reponse from the endpoints should have the following structure: 
{
  "amount": 150,
  "client_reference": "order-789",
  "created_at": "2025-09-04T23:03:33.778574Z",
  "currency": "MXN",
  "id": "2fd6a7fa-2997-434d-a8e0-1128cf7d00a3",
  "next_action": {
    "redirect_to_url": {
      "return_url": "https://mystore.com/payment/return?tndr_payment_id=45396",
      "url": "https://sandbox.cardpay.com/MI/payments/redirect?token=9e53b5de-76d5-4c59-82a8-09ad4e87f42a",
      "verify_transaction_status_url": "/transactions/2fd6a7fa-2997-434d-a8e0-1128cf7d00a3/"
    }
  },
  "operation_type": "payment",
  "payment_id": 45396,
  "provider": "tonder",
  "status": "Pending",
  "status_code": 201,
  "transaction_id": 8707
}
Where:
FieldTypeDescription
idstringUnique transaction identifier
operation_typestringAlways "payment"
statusstringTransaction status
amountdecimalTransaction amount
currencystringCurrency code
client_referencestringYour reference identifier
payment_idintegerInternal payment ID
transaction_idintegerInternal transaction ID
providerstringPayment provider used
created_atstringISO 8601 timestamp
status_codeintegerHTTP status code
next_actionobjectRequired actions (3DS, redirects)

Test Cards

Use these test cards in the sandbox environment:
Card NumberExpected Result
4000 0000 0000 0077Successful payment
5451 9515 7492 5480Card declined
4456 5280 8038 98603ds authentication required
4574 4412 1519 0335Processing error (No transaction recoded in Tonder)
4349 0012 1084 6432Insufficient funds

Status Values

The table below shows the different possible status values:
StatusDescription
PendingTransaction awaiting completion
SuccessPayment completed successfully
FailedPayment failed or declined
CancelledTransaction was cancelled

PCI Compliance Requirements

When processing raw card data, you must maintain full PCI DSS Level 1 compliance. This section provides the essential requirements and best practices to ensure secure card data handling.

When to Use PCI Compliant Processing

This section explains when PCI compliant processing is recommended and when it is not. Use the information below to decide if this is the best approach for your business.

Comparison with Tokenized Processing

The table below compares PCI compliant processing with tokenized processing:
AspectPCI Compliant ProcessingTokenized Processing
API Calls1 step (direct process)3 steps (auth → tokenize → process)
PCI ComplianceFull PCI DSS Level 1 requiredNot required for merchant
Integration ComplexityLower (single endpoint)Higher (multiple endpoints)
LatencyLower (direct processing)Higher (additional API calls)
Security ResponsibilityMerchant responsibilityHandled by Tonder/Skyflow
Maintenance CostHigher (compliance audits)Lower

Important PCI Compliance Notes

  • Only use this approach if you are fully PCI DSS Level 1 compliant
  • Raw card data must be handled securely throughout your entire system
  • All PCI DSS requirements apply to your infrastructure and processes
  • Regular compliance audits are required

Next Steps