A journey in ProcessOut's flight journal

Credit Card Vaulting: Advantages & Ways to Do It

by Louis-Paul Dareau on

Leading online platforms use a technique called credit card vaulting. Vaulting consists in storing your customers’ credit cards outside of your payment provider, with a special provider called a credit card vault. Benefits include better management of data security concerns, reduced PCI compliance scope, and full payment provider independence.

First up, let’s talk about tokenization: it’s the technology behind credit card vaults. Tokenization turns a piece of information, such as a card number, into an opaque token. The token can be stored anywhere, along with less sensitive data; the corresponding card data is only looked up when required—for example, to process a payment. In the case of data exposure, the token by itself is useless without access to the vault.

Where to store cards

Storing credit cards is subject to three key requirements: security, reliability, and PCI DSS compliance. Strong data protection and compliance with PCI DSS are key concerns: data exposures lead to privacy violations (GDPR, CCPA), and card networks can levy fines of up to $500k in case of a security incident. Finally, your customers expect your business to be online and ready to process orders all the time, which means near-perfect uptime.

With these constraints in mind, there are three places where you can store card data:

  • In your own infrastructure: it is possible to build and run your own card data management infrastructure within your business. Flexibility to control payments is high, but so is the security liability, and the costs of maintenance and compliance. This pattern is mostly seen from very large players with legacy order processing infrastructure and the associated PCI DSS certifications.
  • At a payment service provider: this is the simplest option; most providers will take over PCI DSS requirements for you and reduce your compliance scope. You will also benefit from their scale in terms of reliability and security. However, cards tokenized with one provider are hard to get back: there is typically no way of retrieving card data at all, except from requesting a data export and completely leaving the service.
  • With a third-party vault: This option allows you to achieve the best of both worlds: the full flexibility to work with any payment provider you want, and the security and cost-efficiency of a large-scale service. Note that there are also drawbacks to vaulting: adding another type of provider can increase complexity if it is not strictly necessary.

Vaulting cards with a third-party service makes the most sense for large merchants or fast-growing companies. Smaller e-commerce websites can also benefit from using a credit card vault to future-proof their payments, but it’s important to keep in mind that there is an overhead in adding an additional provider.

From our observations, modern payment infrastructures are consistently underpinned by a centralized credit card vault, which distributes card data to other providers on an as-needed basis.

Scaling with a credit card vault

A vault lets you collect card details from your customers with one integration in your checkout flow. From here, it’s possible to process transactions with any provider you want, which is the most effective way to improve approval ratios and card fees.

Your vault will likely support at least one of two models:

  • Proxy model: this passthrough system lets you use your existing integrations or write new ones.
    Requests to your PSP go through the vault, which adds the card data for you, and returns the response. This is great if you already have the integrations you need working; however, for new integrations, you may need to write them yourself.
  • Unified model: the vault offers an API, similarly to a PSP.
    Internally, your requests are translated to use the format of the provider you want to use. The data model is the same, no matter which third-parties you work with. This method greatly simplifies the integration and maintenance experience, but you need to rely on the provider’s existing integrations.

In any case, if you wish to rely on multiple payment providers, you will need to pick new PSPs and open merchant accounts. Providers generally perform better in specific regions or have a preferred level of risk for transactions. Our merchants start with their existing, legacy payment provider, and from there expand to add more coverage and diversity.

Having more than one provider used to be all about basic routing strategies, such as load balancing (making sure to have enough processing capacity) or failover (switching over to another provider when the main one is down). High-traffic e-commerce websites tend to be more sophisticated today, with performance-oriented or cost-optimizing strategies. Payments teams rely on transaction analysis to understand which categories of payments fail more frequently, or which credit cards cost more to process. With this information, they can A/B test new routes and measure their impact on payment performance indicators (special mention to Telescope which helps with this).

Tight integration with a single payment provider generates deep lock-in with the PSP’s proprietary API and their data model. This is at odds with modern payment strategies, which use the best provider for each transaction profile. Credit card vaults are an effective abstraction layer that enables the growth of payment infrastructures, and let you scale from one provider to dozens, seamlessly.

How to choose your credit card vault

When choosing a credit card vault, in addition to the basic PCI compliance requirement, we advise that you understand how easy the integration is, to look at the historical uptime of the service, and understand the data migration policies.

There are generally two parts to a card vault’s integration: the front-end, which is the checkout flow that your customers use to enter their details and pay, and the back-end, where code actually triggers payments. The front-end should be easy to customize to your match your brand; the back-end integration should be simple and well-documented.

Uptime is a good way to check whether a service is actually reliable. We suggest you ask for numbers and historical uptime. There are no hard rules, and everyone has bad days, but 99.99% of availability (≤4m20s minutes of downtime per month) is decent. Good to know: some providers can offer a Service Level Agreement (SLA), which puts uptime guarantees in a contract.

The migration process for importing data typically works like this: ask your current payment provider for an export to your new vault. The vault service will send details to verify their identity and make the transfer securely. Your old provider will make an export and send it directly to your vault, to maintain PCI compliance. The vault will then import the file from the PSP and make your cards available.

Make sure that your provider allows exports: they generally offer one or several free flat-file data exports to other third-parties; this is a manual process. For a belt-and-suspenders approach, look for providers with a raw card data API, which will allow you to retrieve and manipulate your vault’s data, should you decide to pass PCI DSS in the future.

If you are interested in scaling up your payment infrastructure, take a look at ProcessOut! We let you not only vault your card data in one place, but also automatically route payments to the best of dozens of providers, with a single API and analytics/reconciliation dashboard.