Migrating Credit Card Data on Your Timeline

Certain words can trigger a reaction in the world of payments:

• Chargeback (grimace)
• Decline (Ouch)
• Authorization (Revenue!)

But what word may give a payments engineer and product leader the most agita?

Migration.

When we talk about migrations, we’re referring to the process of migrating credit card data from third-party storage—such as with a payment service provider (PSP)—to making it your own. And, unfortunately, until your organization owns the payment data that customers generate, a payment stack remains incomplete. 

But when PSPs capture and store this type of data on your behalf, getting ownership and full custody requires a data migration. 

What type of data can be migrated and why?

Migrating payment data from a PSP can happen for any number of reasons:

• The PSP contract is expiring.
• Rate renegotiation.
• Desire to consolidate data and retain ownership.

Whatever the reason, the migration process should ensure that existing card data is migrated and mapped correctly to minimize the PCI scope. 

Credit card data is the most valuable information to migrate and maintain within a token vault due to its impact on PCI compliance. However, specific payment credentials, BIN data, and bank transfer data, such as account and routing numbers, can also be migrated, tokenized, and vaulted. Personally identifiable information (PII) and Know Your Customer (KYC) data can also be migrated. This is a much rarer occurrence because PII is not subject to PCI DSS. 

However, you can meet KYC requirements without PCI scope. 

Return to Top

Kicking Off the Migration Process

A migration kick-off is cause for celebration. 

Before starting the migration process, it is essential to gather a few pieces of information:

• A member of the migration team with an understanding of the existing payment integration.
• An identified account owner, as well as authorized signers at your organization, for the payment processor.
• Documentation or descriptions of the outputs from a data migration from your payment processor.
• The requirements your payment processor has for any party receiving card data.

Once you have a clear understanding of the migration process, it's time to initiate the actual migration between the PSP and Basis Theory. As a customer of Basis Theory, the primary action is to introduce our team of payment engineers to your PSP. From there, the Basis Theory team coordinates directly with them to handle the secure data transfer, compliance documentation, and deduplication. 

Other necessary steps to kick off the migration process smoothly:

1. Contacting the Payment Processor: Nothing is more important than beginning the migration. Reach out to the account owners or authorized signers in your organization. They hold the authority to initiate the process on your behalf. Depending on the payment processor, there are different methods to initiate the migration, such as submitting a support ticket or sending a signed letter to a designated email address. To assist you in this process, Basis Theory provides a template and guidelines that you can use to communicate effectively with the payment processor. This ensures that all necessary information is provided clearly and concisely. 
2. Requirements from the Payment Processor: The payment processor may have specific requirements that need to be fulfilled by the receiving party. These requirements are put in place to ensure a secure and compliant migration process. They may include requiring the receiving party to be PCI Level 1 compliant, sharing an Attestation of Compliance (AOC) with the payment processor, or being listed in the Visa Service Provider (SP) Listing. Compliance with these requirements helps maintain the integrity and security of the data during the migration.
3. Sharing Public Key: As part of the secure data transmission process, the payment processor may require the public key from the receiver. The public key establishes a secure and encrypted channel for data transfer. You can find Basis Theory's public key here. Sharing this public key with the payment processor protects data during transit.

By following these steps and fulfilling the requirements, you can initiate the migration process smoothly and establish a strong foundation for a successful data transfer. 

Maintaining open lines of communication with the payment processor throughout the process is crucial, ensuring any queries or concerns are addressed promptly. Basis Theory's template and guidelines can help you communicate effectively with the payment processor, providing a seamless data transition.

Return to Top

Data Export and Transmission

Once the migration process is initiated, the next crucial step is to export and transmit the data from your current PSP to Basis Theory. 

Understanding the data export format and ensuring secure transmission are vital for a successful migration. 

1. Data Export Format: Typically, payment processors provide the exported data in standard formats such as CSV (Comma-Separated Values) or JSONL (JSON Lines.) If you are given the choice, Basis Theory prefers CSV files. These formats facilitate easy parsing and handling of the data. When you communicate with your payment processor, they may share the file headers, which provide valuable information about the structure and content of the exported data. Understanding the data export format and file headers is crucial for effectively processing the data during the migration.
2. Processor Documentation: Some payment processors may publicly document the data export format and provide guidelines or resources to help you understand the exported data structure. This documentation can be immensely valuable in ensuring a smooth transition. If such documentation is available, review it thoroughly to gain insights into the data you will be receiving.
3. Data Transmission Standards: The payment processor will have specific data transmission standards you must adhere to. The most common standard is Secure File Transfer Protocol (SFTP), which provides a secure and encrypted channel for transmitting data. It is common courtesy and conventional that the receiving party provides the SFTP. 

Every PSP has its own way of and preference for structuring, and transmitting data. We’ve seen them all at Basis Theory, and it’s our job to make this easy for our customers. Whether the PSP supports SFTP, HTTPS, or a proprietary standard, Basis Theory is able to adapt to their standards.

All we care about is that the file is in a healthy, readable format.

By familiarizing yourself with the data export format, leveraging any available documentation, and coordinating with the receiving party regarding data transmission standards, you can ensure a seamless and secure transfer of your credit card data. 

Return to Top

Timelines, Test Runs, and Costs

The timing is entirely in the customer's hands. 

As you progress with migrating your credit card data, it is essential to consider timelines, conduct test runs, and be mindful of associated costs. 

1. Timelines: Different payment processors may have varying timelines for providing the exported data. It is crucial to understand the processor's expected timeframe and plan accordingly. Clear communication with the payment processor can help you anticipate when you can expect to receive the data and make necessary arrangements on your end. By aligning your internal timelines with the processor's schedule, you can ensure a seamless transition without disruptions to your business operations.
2. Test Runs: Performing a test run with a subset of the cardholder data is highly recommended to verify the effectiveness of the migration process. Basis Theory offers a PCI-compliant temporary server for this purpose. By running a test migration using either a subset of actual cardholder data, or synthetic data, you can identify any potential issues or discrepancies early on. This allows you to address them before migrating the complete dataset. Test runs are crucial for validating the migration process and ensuring the accuracy and integrity of the data transferred.
3. Cost Considerations: It is important to be aware of any costs associated with the migration process. While some payment processors may offer the initial migration for free, additional migrations or exceeding certain thresholds may incur charges. To understand the cost structure and estimate the potential expenses involved, it is advisable to consult with your Account Manager at Basis Theory. They can provide you with detailed information about the costs associated with the migration and help you plan accordingly.

By carefully considering timelines, conducting test runs, and being aware of potential costs, you can effectively manage the migration process. Aligning your expectations with the payment processor's timeline, performing thorough test runs, and obtaining clarity on costs will contribute to a successful and cost-efficient migration to Basis Theory. 

Return to Top

Results and Data Handling

Upon completing the migration process of your credit card data, it is important to understand the results and how the data will be handled in your new environment. 

1. Tokenization of Card Data: The primary goal of the migration process is to securely tokenize the credit card data. Tokenization replaces sensitive card data, such as Primary Account Numbers (PANs), with unique tokens. These tokens are used to securely represent the original card data. The tokenization process ensures that sensitive card information is protected, reducing the risk of data breaches.
2. Resulting File: After the migration process, a resulting file containing the tokenized card data will be generated. This file will serve as the basis for future processing and transactions. It is essential to have a clear understanding of the structure and format of this resulting file to ensure efficient integration with your systems and applications that rely on the tokenized card data.
3. Handling Personally Identifiable Information (PII): While PANs are stored as card data and tokenized, handling other personally identifiable information (PII) can be more flexible. Depending on your specific requirements and compliance regulations, you can choose to tokenize or store PII data in the Basis Theory environment or your application database. Basis Theory offers the option to store PII data in its vault, allowing you to map the appropriate identifiers to the corresponding tokens securely.
4. Portability and Aliasing: Portability is a crucial aspect of data handling during the migration process. Basis Theory enables using the Account identifier (e.g., customer profile ID) from your payment service provider (PSP) as the token ID. This facilitates the retrieval and use of the appropriate tokens when needed, while maintaining the original reference in your system, ensuring seamless integration and consistent data mapping.

By understanding the tokenization process, establishing a well-defined file structure, and making informed decisions about handling PII, you can confidently transfer your credit card data to the Basis Theory environment. Leveraging portability and Alias functionality further enhances data integration, simplifying the process of maintaining data consistency and traceability.

Throughout this guide, we have explored the essential elements and best practices involved in the migration process.

By extracting all card data and stored personally identifiable information (PII) from your current payment provider and tokenizing the card data in a third-party vault, you ensure the utmost security and compliance for your customers' sensitive information.

Timelines, test runs, and cost considerations are vital for a successful migration. By aligning your timelines with the payment processor's expectations, conducting test runs with subsets of cardholder data, and being aware of any associated costs, you can ensure a smooth transition without disruptions to your business operations.

A migration with Basis Theory isn’t just about moving data, it’s about gaining control and flexibility across your payments stack. Once the time is right, our team handles the coordination, communication, and execution of getting your data back with you. 

Your payment stack is not complete until you own your data. We are here to make that process very simple. 

Follow along with this documentation to get started. 

Return to Top