A critical aspect of offering subscription products is the ability to store a customer’s payment information on file. Customers are often reluctant to provide this data as they don’t want it to fall into the wrong hands, but holding payment information is critical to renewing a subscription. Merchants can keep customers’ card information on their own systems, but safe storage can be expensive and complicated. Card data can be stored with a payment processor, but that option has its own disadvantages. A third-party credit card vault, however, can keep customers’ personal data safe, while offering more flexibility.
About Tokenization and Credit Card Vaults
A credit card vault service stores customers’ credit details in a secure manner. Typically, the data remains in the vault until it needs to be used to process a payment. After the retrieved data has fulfilled its function, it is often dropped from the processing chain. Therefore, continuous storage of sensitive information is needed for ongoing operations.
These vaults take advantage of tokenization technology. This refers to the process of turning sensitive data, such as a card number, into a reference value that is undecipherable and irrelevant to anyone else. Outside the vault service, tokens cannot be returned to their original value. For this reason, credit card vaults are also sometimes referred to as token vaults.
A third-party credit card vault has many benefits over alternative methods of storing customer card numbers. Let’s take a closer look at two popular options.
Option 1: Storing numbers internally
When merchants store credit card numbers in local systems, there is immediate access to card information whenever it’s needed. On the other hand, this introduces risk in case of a security breach. The business is also fully responsible for PCI DSS compliance. Achieving compliance isn’t easy— PCI compliance means adherence to the Data Security Standards (DSS) set by the Payment Card Industry Security Standards Council (PCI). This is a coalition of the five largest credit card companies (American Express, Discover Financial Services, JCB International, Mastercard and Visa). There are 12 broad PCI DSS compliance requirements, from encryption to quarterly scans, regular testing and malware protection. Achieving continuous PCI compliance can be expensive and challenging for any business, but presents a unique burden for startups and small businesses.
Organizations that store credit card data but don’t adhere to PCI compliance standards risk fines of up to $500,000 per data loss incident. An even bigger impact may be a loss of the ability to accept credit card payments. Merchants also risk high legal fees and damage to company reputation.
Option 2: Storing numbers with a payment provider
Many payment providers have the ability to securely store credit card credentials. This can limit (but not eliminate) your compliance responsibilities. The tradeoff is flexibility, as routing transactions to another provider down the road will likely require an expensive and time-consuming data migration. As we’ve discussed in other posts, credit card processing fees can be expensive, and the best pricing strategies rely on payment provider flexibility, allowing merchants to take advantage of volume discounts, the ability to change services as they grow, skirting processor downtime and more. Worse still, some payment processor agreements limit data portability, so you may have difficulty accessing or transferring that data when needed.
Read more about how to address token migration and the challenges of changing payment vendors.
The Benefits of Using a Third-Party Provider
Both the options above present challenges that are solved with a third-party credit card vault. The advantages of this option include the following.
Those who process credit cards as a core service are incentivized to ensure the security of credit card data, lessening the danger of credit card breaches and data theft.
Regular audits and evaluations
Credit card vaults must adhere to strict regulatory and compliance frameworks, and regularly undergo audits and evaluations from independent third-party assessors. As a result, merchants have the assurance that sensitive data is protected.
Freedom and flexibility
There is a lack of flexibility if customers’ credit card information is held hostage by a payment processor, versus the freedom of a detached, third-party source.
Ensuring PCI DSS compliance yourself can be costly, as can purchasing and maintaining the expensive hardware, software, and internal controls necessary to comply with it.
How to Find the Best Credit Card Vault Solution
You have a number of token services/credit card vault options available to you, including those offered by:
- Other 3rd party providers
Determining the best option is not always an easy decision. We can help. At Rebar Technology, we are subscription billing management experts, with the know-how to provide guidance on the significant subscription billing decisions you have to make. Make the smart choice first, and contact us to talk to one of our payment guidance experts.