.png?width=365&height=122&name=BTLogo%20(1).png)
What Is the Best Payment Vault for a SaaS Billing Platform?
Every merchant must establish a payment system, allowing their customers to buy using the payment method of their choice. Where once upon a time it was sufficient to simply accept a payment then ship a product, most merchants must now take into account subscription billing (allowing them to price their products on a monthly, quarterly, or annual basis), as well as saving payment information for re-use for repeat customers.
The latter use cases require that customer personally identifiable information (PII) be securely stored, which can cause significant headaches and cost to maintain PCI-DSS compliance, which is why merchants are increasingly using vaults to increase security, reduce processing fees, and curtail compliance costs.
Describe a Payment Vault for SaaS Companies
For the majority of software-as-a-service (SaaS) companies, a ‘vault’ is a third-party tokenization provider, which collects and securely stores customer payment details, making them available for the merchant to reuse in the future. This matters even more to a vertical SaaS platform embedding payments. Instead of bringing payment details into their own systems in plain text, the platform would receive a token, which is a unique identifier of the record, that cannot be decrypted or otherwise converted back to the underlying data. Your customers expect billing to just work, regardless of which downstream processor is being used.
This tokenization process is more secure than encryption, as encrypted values can be reverted to plain text if an entity is able to secure access to the encryption key, or has access to sufficient computing power that it can crack the key through brute force.
That said, other entities offer vaults, including:
- Merchants working with a full-service provider, such as Stripe, can use their partner’s proprietary vault, which allows for secure storage and re-use, while delivering on the promise of lower PCI-DSS costs. However, the payment service provider (PSP) token can be used only with that specific PSP, meaning the merchant cannot transfer the customer data to an alternative provider if they decide to go multi-processor.
- A merchant can create their own vault, with full tokenization, separating the parts of the system that can ‘see’ customer data in plain text from those that can’t. While this eliminates the cost of partnering with a third party, it moves more of the merchant’s payment system into PCI-DSS scope.
- The card networks can provide merchant-specific tokens, which allow the merchant to re-charge customer accounts while reducing the risk of fraud (as the token can be used only by the merchant to whom it was assigned).
Do merchants need a payment vault for SaaS billing?
At a technical level, merchants do not actually require a vault for SaaS billing, as they can simply contract with a single PSP and use its services to securely collect and store customer information for later re-use. Indeed, a merchant can use multiple PSPs and simply collect customer payment information themselves, then send it to their preferred downstream processor as they choose.
However, each of these scenarios bears significant risks:
- The PSP-provided vault services are proprietary to the provider. As a merchant grows, the merchant cannot rely on being able to use the information stored within their PSP.
- Storing PII inside their own systems may bring the merchant’s whole payments mechanism into PCI-DSS scope, incurring substantial risk and cost.
The bottom line is that for single-PSP merchants, an independent vault may not be necessary in the early going. But to scale, the vault is at a minimum recommended, if not strictly required.
Are there downsides to using a payment vault for SaaS billing?
As the payments environment has become more complex and competitive, most merchants have found that using more than one PSP is a necessary strategic move: it helps them manage cost, risk, and transaction success rates. While using a vault offsets many of the risks in transacting with multiple downstream partners, there are some key considerations:
- Using a vault, once it is set up and running, is remarkably low-effort, but the initial implementation does require some forethought and effort. Finding a vaulting partner who can help implement the vault quickly and economically is vital.
- Just as a full-service PSP may insist on ‘owning’ collected customer PII, forcing the merchant to stay with that vault provider, a predatory vault provider may seek to hold onto merchant-collected data. Merchants should always ensure, prior to implementing a vault solution, that they will be able to reclaim their data if they choose to switch provider.
- While the vault takes on the responsibility for secure collection and storage of customer data, the merchant can be found liable in case of a data breach, so merchants must ensure that their vault provider delivers top-notch, validated, Level 1 PCI-DSS security.
- Working with a vault means adding outbound connections between the vault itself, the merchant’s systems, and the downstream payment providers. While this is largely handled by coding to publicly-available APIs, merchants should seek a provider with deep experience in these integrations, and that offers handy SDKs.
- Even with multiple PSPs, merchants who guide all transactions through a single vault are at risk of unscheduled downtime if the vault runs into trouble. As a result merchants should ensure their chosen vault has a high uptime guarantee, and that it is designed to allow merchants to reroute all transactions to an alternative endpoint (likely a full-service PSP) in the event of system failure.
The right payment vault provider addresses each of these directly.
What is the best payment vault for SaaS billing?
The right vault for a vertical SaaS or fintech platform unlocks full control over where, and how payment credentials are used. Basis Theory is built for this exact use case. Merchants own their own credentials, and can route them to any processor or third-party endpoint without fighting to get data back.
Implementation can happen fast too, as Anton Payments describes in their story of getting up and running in just 72 hours. That means clear instructions on how to migrate to an alternative provider, explicit proof of exceptional security, and APIs to connect to any downstream processor.
See how vertical SaaS platforms use Basis Theory to monetize payments.
