Credit card tokenization is an advanced technique designed to protect sensitive cardholder data...
Credit Card Vaulting Services: Overview and Benefits
A credit card vaulting service is a third party that stores, protects, and provides access to stored cardholder data for merchants. Using a credit card vaulting service allows a merchant to retain access to cardholder data - vital for smoothing the path to customers making ongoing purchases and payments - without the costs of maintaining their own PCI-DSS Level 1 payment system. Additionally, the credit card vaulting provider serves the merchant, meaning that the stored information can be transmitted to whatever payment destination the merchant chooses, eliminating the risk of lock-in.
Key Technology Enabling Credit Card Vaulting
Tokenization is the special sauce that allows credit card vaulting providers to offer a safe, secure, and flexible service. Merchants set up their credit cardholder data collection forms to deliver the customer’s information directly to the card vault; they, themselves, receive a token, which is a specially-generated string that can be used to recall the correct customer data.
Unlike with encryption - where secured data can be unsecured by anyone holding the decryption key - tokenization ensures the absolute security of the cardholder data, because there is no way to reverse-engineer the underlying information from the token. When the merchant is ready to transmit the data to a payment processor to complete a transaction, they must satisfy rigorous security protocols to connect to the vault, then supply the token, along with instructions on what action to take with the information. This multi-layer security model ensures that the underlying data is fully protected.
Key Benefits of Credit Card Vaulting
There are two key benefits to taking the approach of vaulting credit card data with a third party provider:
- Reduce the cost of regulatory compliance: credit card vaulting service providers like Basis Theory maintain a PCI-DSS Level 1 environment, delivering fully-audited and approved protection for all the cardholder data they hold. They also eliminate the need for the merchant to hold any data that would come under the authority of PCI DSS in their own system, thus keeping the majority of the merchant’s environment out of scope. As a result, merchants using credit card vaulting services are able to complete as much as 95% of their PCI-DSS regulatory compliance work in just a few minutes.
- Reduce the risk of processor lock-in: many full-service payment service providers (PSPs), and even more flexible payment gateways, offer card vaulting as part of their overall service portfolio. However, when PSPs hold the cardholder data, they will generally use it only to process payments through their own network. As a result, a merchant that decides to add automation and alternative processing partners to their payment systems may find themselves unable to transmit stored customer information to those other PSPs. This results in a need to either stick to the original PSP, or to ask customers to enter their card data again - an extra step that can have a measurable negative impact on transaction volume.
Keeping compliance costs down, and reducing the fees associated with more complex payment processing (cross-border, high-risk, etc.), can have a significant impact on the margin calculations for a business: the average merchant pays between 1.5% and 4.5% in processing fees, and being toward the lower end rather than the higher end can be the deciding factor in achieving reliable profitability.
Risks with Credit Card Vaulting
While your third party credit card vaulting provider prevents you from lock-in with a single PSP, allowing you the flexibility to automate and arbitrage your whole payment processing system, your credit cardholder data does, of course, still sit in the infrastructure of a third party. Logically, then, the lock-in risk has been handed off from one provider to the next. This is why it is vital to ensure that the credit card vaulting partner has a strong and written commitment to transferring the stored data to another location on request.
In principle, the only other significant risk would be a successful exploit against the credit card vaulting provider. It is, thus, crucial to ensure that any partner is
- PCI-DSS Level One certified
- SOC 2 Type II certified
- HIPAA compliant
- ISO 27001 certified
While no certification can guarantee a hack-free experience, the greater (and better-documented!) a provider’s commitment to compliance, the lower the overall risk.