Skip to content

    Storing Credit Cards: Outsource a Solution, or Build?

    Blog header with article title

    Learn the core concepts, efforts, and trade-offs between building or buying a cardholder data environment (CDE). 

    Whether you’re looking to simply accept or issue credit cards in-app or do something more complex, like split payments and implement multi-processor routing, understanding the level of effort to store your cardholder data (CHD) is a critical step to picking which path—in-house or outsourced—is right for you. In this blog series, we’ll provide a side-by-side comparison of both.

    This post provides a high-level overview of the two routes, but you can find more detail on the two solutions in the follow-up pieces:

    Build or Buy a CDE: Key Concepts 

    In previous posts, we defined a cardholder data environment (CDE) and its purpose. We then went in-depth on the two primary options for collecting and securing these credit and debit card details: building and maintaining a PCI CDE and program vs. using third-party CDE service providers. In this blog, we’ll tie it all together to offer a top-line view of each, as well as some tips to guide internal discussions at your organization.

    Before we jump in, it’s probably helpful to revisit some key terms used in this document.  

    • Payment Card Industry Data Security Standard (PCI DSS) is a set of over 300 controls that protect cardholder data and the larger payments ecosystem. You must comply with these standards if you’re processing or issuing payments. Learn more about PCI DSS and its requirements
    • Tokenization platforms provide the core infrastructure to secure, collect, and use cardholder data without card acquiring or issuing services. Organizations use this approach to receive more flexibility without increasing their PCI compliance scope (e.g., process or issue cards with multiple providers, share cardholder data with partners, and more). Learn more about tokenization.
    • Scope refers to the collection of people, processes, and systems used by organizations to secure, transmit, or process cardholder data. Items “in scope” must comply with the 300+ PCI DSS requirements. 
    • Attestation refers to validating the controls required by PCI DSS. Generally speaking, these audits are conducted annually as a Self-Assessment Questionnaire (SAQ) for organizations processing less than 6 million transactions. Merchants processing over 6 million must use an independent Qualified Security Assessor (QSA) or Internal Security Assessor (ISA).

    Build or Outsource: PCI Compliance Considerations for CDEs

    The following comparison is meant to aid internal discussions with your team. As always, PCI is very nuanced and specific to your implementation, so be sure to reach out to us in our Slack Community or contact us if you have any questions. 





      Card or Payment Service Provider  Tokenization Service Provider
    Compliance scope & system impact Offloads up to 93% of compliance requirements
    May use SAQ A or SAQ A-EP to audit
    Same as card issuer or payment service provider Assumes 100% burden of implementing, maintaining, and proving compliance
    Must assess using an SAQ D or ROC
    Service providers offer services and infrastructure so that most organizations may use the smallest Self-Assessment Questionnaire (SAQ A)
    Data portability & usability Token works only with card issuer or payment service provider
    Cannot share cardholder data with third parties
    • Send data to third parties
    • Search, transform, & control access to data
    • No vendor lock-in
    • Useful with various data types
    Complete control over cardholder environment and data
    Risk of decentralizing data
    Building your own solution gives you complete control over your cardholder data, but tokenization service providers can also provide similar capabilities with less complexity, cost, and overhead.
    Time to Go-Live Deploys compliant solutions in hours; SAQ A assessment takes hours Same as card issuer or payment service provider 4-9 months to implement and assess Service providers offer existing PCI-compliant infrastructure and out-of-the-box tools that accelerate development.
    Cost Costs are lumped into usage-based transaction fees; Volume-based discounts are available Costs range from per-interaction to monthly active tokens
    Does not include processing fees
    Costs to implement, assess, and maintain CDE and PCI program range from $145,000-$500,000
    Does not include processing fees
    Card issuers and service providers are cost-effective for straightforward card acceptance.
    Use tokenization service providers if you expect to switch vendors, optimize payments, or send data to third parties.
    Compliance and security management Maintains security and compliance infrastructure on behalf of customers Same as card issuer or payment service provider Requires prioritization of security and compliance updates Service providers manage infrastructure, allowing teams to focus roadmaps on differentiating their core products or services.
    Developer experience Clean developer docs, modern SDKs, and guides
    Built-in guardrails for building compliant payment workflows
    Same as card issuer or payment service provider
    Provide guardrails for other types of sensitive data
    Must create docs, guides, and SDKs to support developer adoption and use Service providers provide modern developer patterns, tools, and services that streamline development, eliminate compliance bottlenecks, and promote adherence.

    Choosing Which PCI Compliance Approach is Best for You

    To help put these perspectives to work, here are a few lightweight exercises we’ve seen help customers evaluate which option is right for them. 

    • Map your system. How is card data collected (or will it be collected)? How is it used by other processes and users in the organization? Map a typical use case end-to-end. Socialize the diagram to add details where gaps exist and build buy-in with stakeholders.
    • Identify needs. Label internal and external pain and gains along the diagram. Separately, track new use cases and their requisite capabilities.
    • Identify your objectives. Bucket your pains, gains, and desired capabilities by their business impact, like improving auth rates, eliminating compliance bottlenecks, or driving revenues from partnerships. Split these into timeline horizons (i.e., now, next, later) to help drive priority and alignment internally.
    • Estimate ROI. Estimate or assume ROI requirements for each horizon. Use existing data and industry benchmarks. Don’t perfect this. Instead, get lose cost-benefit model and a list of assumptions that you can use to drive clarity with stakeholders and service providers. (Fastest way to get an answer is to throw out the wrong one!)
    • Get perspective. Use your map and business objectives to engage your network or investors to find individuals who have done something similar. Get their opinion.
    • Timebox proof of concept. Scope a narrow use case with limited acceptance criteria and build a low-fi working prototype to assess effort. For example, we created a PCI Blueprint that will allow you to collect, store, and transmit cardholder details in less than 5 minutes. 

    Next Steps: Review Your Options

    Continue reading the series to learn more about the ways you can best secure cardholder data through an in-house or outsourced CDE.

    Are you interested in learning more about storing credit card information? We’d love to hear from you! Take a look at our developer docs or talk to one of our payments experts

    Subscribe to the Blog

    Receive the latest updates straight to your inbox