Why a Third-Party Token Vault is Good for PCI Compliance

In the world of online payments, there is a natural tension between security and convenience: the necessary friction added to the buying process can stand between prospective customers and their actual purchase. 

Nonetheless, all merchants owe their customers a high standard of care when it comes to handling sensitive payment information, as well as to their own stakeholders, who suffer financial and reputational damage when a system is successfully attacked.

That standard is PCI compliance. A strong approach to PCI compliance is avoiding any single point of failure, and relying on a range of partners with services that can be compliant, arbitraged, and maneuvered to deliver a secure, financially optimized system. 

What does it mean to be PCI-compliant? 

The PCI-DSS standard is an industry-wide definition of how merchants should manage payment data and storage. While it is a standard, as opposed to a law or regulation, all merchants who want to charge customers using credit cards are required to comply with it. 

There are four levels of compliance, with Level 4 being the most basic and Level 1 the most complex, and merchants must follow the rules for whichever level they qualify for based on their sales volume.

Fully PCI-compliant merchant payment systems protect customers’ credit card data, and other personally identifiable information (PII), both in motion and at rest (i.e., when in use, and when simply sitting in storage). In the early days of a merchant system, the quickest and easiest path to market was to partner with a full-service PSP like Adyen to take on the vast majority of the processing and PCI compliance responsibilities. 

As the business grows, however, it can rapidly become clear that a single payment partner strategy introduces significant risks, including: 

• A consistent, but not optimized, payment schedule.
• A single point of failure in the event of service disruption by the PSP that can prevent customers from buying.
• A loss of control over customer data, which may be technically “owned” by the PSP and therefore hard for the merchant to extract should they wish to find a new partner.

Return to Top

Why do merchants add a backup processor? 

It is not hard to find stories about smaller merchants experiencing difficulties with full-service PSPs, including everything from revenue holdbacks all the way to abrupt contract terminations. These are more the exception to the rule than an especially frequent occurrence, but in the end, the PSP’s terms and rules generally force merchants to look elsewhere. 

These fall into a range of issues, including but not limited to

• Processing Fee Optimization: A full-service PSP tends to have a consistent, flat, fee schedule that is convenient for early planning, but offers none of the financial benefits of emphasizing ways to pay other than credit cards, such as debit cards and alternative payment methods.
• Rules that go beyond the strictures of the card networks. This could include a chargeback ratio limit below the standard 1%, slowdowns based on transaction volume, or even questions about whether apparently-benign products and services are actually high-risk and therefore not permitted on the network.
• System outages that ripple through all the merchants using the platform. These outages also make it quite clear to merchants that their whole business model is subject to a single point of failure: if their one and only payment processor is out for the count, the merchant’s whole business grinds to a halt.

Return to Top

How does a token vault help with PCI-compliant payments? 

Counter-intuitively, adding another service provider to a merchant payments system creates robustness and optionality. 

1. The merchant can ensure that all customer payment data is securely collected and stored, storing just a token that can be used to instruct the vault to submit payment details to the PSP of their choice. 
2. Once the customer details are stored and transmitted from the token vault, the merchant can pursue processing relationships with substantially any PSP they choose. This opens up the possibility of offering customers the preferred payment methods and arbitrage processing fees to improve their bottom line.
3. By building a system that assumes a multi-processor strategy, merchants can create processes that can submit payments directly to a full-service processor when necessary, even bypassing the token vault if preferred.
4. Unlike full-service PSPs, credible token vaults have documented processes and agreements to ensure the merchant can extract customer details for delivery to an alternative provider at their discretion.

By routing payments through the programmable payments vault, the merchant is not subject to a single point of failure for processing, as the vault can be configured to work through a chain of processing partners in the case of an outage at the preferred provider. And by retaining a full-service PSP contract to act as a backup, the merchant can ensure that their customers never face a delay in making their purchases.

Adding an extra step to any process, regardless of the good it does, will necessarily add some complexity. However, a token vault is a fairly light touch relative to many technologies.

• Using vault-provided forms to collect payment information is effectively no greater a challenge than implementing the interfaces of a full-service PSP.
• Once built, the logic used within the merchant payment system to select a PSP can be used for as long as needed, switching transactions between PSPs to deliver the desired result. 
• Because the system is built assuming a process that will make decisions based on the situation (is this a cross-border transaction, say, or one that is selling a high-risk item), it can also be relatively easily set to fall back to a standard full-service PSP interface in the rare event of a vault outage.

While maintaining a multi-processor payments system requires more work, the results can be significant. An online business with slim margins that can shave a percentage point off the processing fee line can fundamentally shift bottom-line results. 

Meanwhile, the merchant benefits from the continued provision of fully PCI-compliant storage without bringing their system in scope. 

Return to Top