The Ultimate Guide to Vaulting

Storing and securing payment credentials is a critical process in the modern ecommerce infrastructure. A vault that optimizes payment methods offers the ability to accept, store, and automatically update card credentials while minimizing PCI scope. The combination of secure storage and card lifecycle management (i.e. the automated updating of stored card information as they are reissued for any reason) services have worked well together during the surge towards a mobile-first, digital-economy. Entities actively managing these payment credentials have seen a boost to revenue, customer experience, and business intelligence through their implementation.

What is a Credit Card Vault?

A credit card vault securely stores card details. Credit card vaults commonly use tokenization to store data safely, which involves turning data into a token, which is a series of randomly generated numbers that can be used to identify the original card data.

By tokenizing cardholder data, card details, including names and card numbers, will be indecipherable to fraudsters or hackers in the case of a breach. The token cannot be used outside of the vault, making card details unassailable.

How Do Outsourced Credit Card Vaults Help Merchants?

There are several key benefits to leveraging outsourced third-party credit card vaults for merchants.

1. Securely Handle Sensitive Customer Data

With data breaches carrying fines of up to $500,000, enforced by the Payment Card Industry Security Standards Council, it’s no surprise that merchants are concerned with how to securely handle sensitive card details. Not to mention, the public perception of merchants who are outed as having had a security breach is often extremely negative, which can have a big impact on customer loyalty. Credit card vaulting is an effective way of securely handling sensitive data, helping prevent merchants from breaches and cyberattacks.

2. Reduced Payment Friction

Having to enter card data often serves as a barrier to checkout. Credit Card Vaults are the underlying technology to support digital wallets and keeping a customer's card on file in a secure way. This also makes them a great option for merchant aggregators, who can improve both the end-user experience and the merchant experience by providing their merchants with secure credit card vaulting.

3. PCI DSS Compliance

Storing or processing card data yourself makes you liable to PCI DSS compliance. Becoming PCI-compliant can be a laborious and painful process, one that requires a huge number of man-hours from your team and certification comes with a price tag of between $50,000 and $200,000 for large businesses. Not to mention, multiple failures to comply can result in merchants losing their right to process card transactions. Using a third-party credit card vault can help reduce your PCI DSS scope.

4. Seamless Subscription Management

For merchants of record, streaming platforms, and subscription-based services, storing customer data securely is crucial. When taking monthly payments, any payment frictions or failures can open you up to customers deciding to cancel their subscriptions. Credit card vaulting can help facilitate monthly subscription payments and prevent any failed transactions.

5. Enable Global Expansion   

Credit card vaults facilitate a more accessible payments ecosystem, enabling merchants to be able to access a wider range of payment gateways, including those commonly used in new geographic regions the merchant may not currently operate in. Vaulting helps merchants scale faster by connecting to the right mix of payment service providers needed to support their unique needs.

What Are The Advantages of a Standalone Credit Card Vault?

Vaulting customer card data is an essential part of the payments flow of any fast-growing business. The advantages of having a tokenized vault are common knowledge among many payments teams, but traditionally these cards have been vaulted with a single gateway.

Many merchants are now realizing the value of a standalone credit card vault, enabling transactions with multiple payment gateways as they expand into new markets and geographies.

What are the advantages of taking this approach? In this post, we’ll explore the reasons you would want to have an independent vault.

Storing Card Data Yourself Adds to Compliance Issues and Overhead

One of the alternatives to a universal, standalone credit card vault is storing cards yourself. Storing cards yourself means taking on full PCI DSS compliance scope. An in-house solution secures the benefits of universal tokenization to enable a multi-provider payments ecosystem. It is the ideal solution for the large enterprise with extensive resources to manage its own payments ecosystem from head to toe.

The infrastructure and certification costs associated with PCI DSS compliance, starting at over $50,000 per year and requiring ongoing effort from dedicated personnel, are prohibitive for most businesses concerned with expanding quickly.

Alternatively, in order to reduce PCI DSS scope, most merchants decide to vault cards at their payment gateway.

Storing Card Data With a Gateway Reduces Flexibility and Limits Growth

The most common end-to-end payment solution, storing cards at a gateway works well for small businesses that do not need to transact across multiple gateways. A single provider can conveniently handle all of your tokenization and payment processing needs. However, with the growth of eCommerce more merchants are experiencing a need for a multi-provider ecosystem, as I recently covered in the Advantages of Integrating with Multiple Payment Gateways.

Cards stored in a gateway vault are essentially locked into that provider, making it difficult to move card data and negotiate rates. This can produce frustration as businesses grow and expand into new geographies, as they attempt to migrate and expand their payment network to new providers.

A Standalone Credit Card Reduces Compliance Burden and Fuels Expansion Plans

The perfect compromise to the previously mentioned scenarios is having a standalone card vault. A universal, standalone credit card vault avoids the costs of PCI DSS compliance and enables a multi-provider payments ecosystem.

In today’s eCommerce landscape, most merchants are looking to offload PCI DSS scope to the fullest extent possible. Maintaining infrastructure and managing recurring audits does not scale easily in modern SaaS businesses, and most companies have chosen to outsource vaulting credit cards to third-parties with expertise in the area.

For fast growing merchants anticipating geographic expansion, payment method portability via a standalone credit card vault enables the use of stored payment methods at any gateway that the provider is able to reach via integration. As a business expands into new markets, sending card data via additional gateways become necessary, but there are also other advantages to payment method portability.

Merchants processing large volumes of payments need redundancy and resiliency in their payment processing systems, to ensure unavailability does not result in failed transactions. A single-threaded gateway connection for both storing credit cards and processing transactions could result in a large loss of revenue.

For online platforms and marketplaces who aim to attract merchants to their service, a single-provider solution creates excessive friction for on-boarding. Requiring merchants to onboard with only one, or a small handful of gateways in order to participate makes using the platform less attractive. Platforms that are able to connect on-demand with all of their merchants’ payment gateways, but also offer credit card vaulting as a service, are more attractive to potential customers.

The Problem with Generic Vaulting

Going direct with a generic vaulting solution, once an easy solution to implement in the short term, ultimately proves a headwind at scale. Maintaining a legacy, low-touch vault provider carries a number of setbacks as an organization grows:

• The lack of ownership over vaulted payment data limits your flexibility as a business and your payments stack to whatever the PSP can currently offer
• Lost revenue due to stale card credentials grows as a portion of revenue and as your revenue grows, that portion becomes harder to ignore
• Account updates to cards become a cost to you and a revenue generator for your vault provider, incentivizing them to maximize card-update responses - even if the response does not actually update your credential on file
• Diminishing quality of your data because of stagnant cards, duplicate cards-on-file, and inability to link a single customer to multiple payment-methods
• Passivity around modern card-features such as network tokenization and lack of enablement in understanding how to put these features to use for your business

What’s missing in this model is not a specific feature, though a commitment to integrating the latest in capabilities is a key determinant of a trusted provider. What is missing is an active component to payment method management – a trusted partnership that allows your payment-storage engine to be fine tuned to the needs of your business. You may have all the right tools in your garage, but if you don’t know how to best use them individually and together, you will never get the best outcomes.

Activating the Vault

Creating a tailored vaulting experience might first look and feel like standard card-storage: cards are secured, PCI requirements are met, and lifecycle functionality (e.g. account updater) is switched on. Where does the active component come in? Let’s start by asking a few questions:

• Does my vault provider offer reporting and recommendations on how my card environment is being managed and what would create more value for me as a customer?
• Do I have the latest update functionality across the networks and the opportunity to provision features like network tokens? If so, does it come with a heavy up-front cost?
• Do I trust my provider to offer vaulting guidance based on how or where I want to process payments? For example, if I am starting to process payments in India, can I automatically redact stored cards to comply with Reserve Bank of India’s guidelines on foreign entities storing card information?
• Am I basically left on my own when it comes to managing and optimizing my vault and stored cards?
• Do they offer a feature sets beyond lifecycle management? Services like Payment Account Reference (PAR) link a customer across payment methods - is the vault an active product with a roadmap?

Are there any surprises as you think about these questions? Basic vaulting and lifecycle functionality may not seem to have changed much, but developments in features and management are growing – so are the opportunity costs of overlooking the vault as a business grows in scale and complexity. 

The modern vaulting dilemma – using a staid vaulting approach based on habit and basic functionality – can be overcome by uniting a modern feature set with active management to tailor the vault to the business. We are excited about resetting expectations around vault value and performance and redefining modern vaulting for the decade to come.

The Real Costs of Vaulting

In its basic state, a payments vault securely stores payment information like card details. Credit card vaults commonly use tokenization to store data safely, which involves turning data into a token, a benign reference to the actual sensitive payment data that can only be connected to the sensitive data within the vault. Beyond this basic function, payment vaults may also include a suite of additional features, such as card-lifecycle products (e.g. Visa’s Account Updater, and Mastercard’s Automatic Billing Updater that automatically update stored card details) and network tokenization. A network token is a special payment token created in partnership with the card-networks and issuing banks that can offer a number of benefits and be stored alongside the basic payment token created for a payment method.

Payment vaults may be provided directly by a payment service provider (PSP) or with independent third-party providers like Spreedly. The benefit of using a 3rd-party agnostic provider is that it offers a solution which allows the merchant to integrate with any number of payment providers (like PSPs) without limitation, unlike using a vault provided directly by a PSP. This lets merchants tailor their vaulting and payments engine to meet their specific payments needs. 

Breaking Down Vaulting Costs

Let’s categorize and break down the costs an organization may incur when vaulting payments. These are relevant at both the PSP or third-party provider levels:

• Event-Based Pricing - is like a menu that prices each specific “event” that can occur within a vault. Examples include tokenizing a credit card for the first time, updating an expired credit card, or provisioning a network token. Event-based pricing may have embedded third-party costs.
• Usage Pricing - is a basic price established for API calls, processing time, and storage-space used (e.g. stored payment credentials). This is a common pricing framework for many software products and is not specific to vaulting and tokenization.
• Bundled Pricing - Is done when PSPs embed multiple services into a pricing model that includes overall costs. These reflect the “all-in” price a merchants pays and do not always provide itemized reporting.

Vault providers may use one or both of these pricing approaches. While they seem straightforward, as we take a closer look we can begin to see where hidden, substantial costs are incurred by users. 

What Impacts Vaulting Costs?

As a provider that has vaulted over a billion payment methods, we have seen and heard the impact of all of these costs and are committed to optimizing these for our clients. Below we itemize these along with a quick example of the pricing impact:

• Duplicate Payment Methods are common in many vaults. The same payment method (e.g. a credit card) is tokenized and stored several times. This increases usage costs and if the card is reissued and updated with a card lifecycle program it multiplies the cost of that update.‍ Example: The same card is stored three times in a vault. Instead of a $0.20 card update via Account Updater, the same card is updated three times, incurring a $0.60 charge.

• Redundant Card Updates are prolific across card updating services. Event-based pricing for card-update programs incurs costs for clients whenever a “response” is received from the card networks. However certain updates count as a “response” from the networks without actually updating the underlying card information. While these responses may be useful, they do not automatically update the underlying card-data if not identified and acted upon. What’s worse, cards that receive these types of responses tend to repeatedly receive them every time a card is “checked” for an update. The upshot is that a stagnant payment method becomes a recurring cost item that often goes unnoticed. Example: Each month 100 more vaulted cards receive update “responses” from the networks that are each billed to me at $0.20 as an update, but I receive no value. These costs snowball over time without management.

• Event-Based Pricing for Network Tokens is a pricing approach that treats the creation of a Network Token as a pricing “event”, resulting in large, up-front costs for clients interested in NTs. Example: Provisioning Network tokens are charged at $0.15/token. If a client wants to provision 150,000 network tokens, they are hit with an up-front charge of $22,500.

• Elevated Event-Based Pricing from PSPs introduces the “movie theater concessions” effect. If you are vaulting directly with a PSP, you are beholden to their event-based pricing frameworks and restricted to their pricing and capabilities. Worse, some providers will charge hefty fees to port your data to another provider. Example: Instead of paying a competitive rate of $0.18 per card update, a PSP charges $0.25, knowing their sole-provider position gives them pricing power. Example: A PSP vault provider aggressively prices a request for a “token migration” (when a customer wants to transition their vault to a new or backup vault provider) and prices a token migration via SFTP at $0.10/token. 

These may feel like specific cases, but these additional costs associated with payments vaults are important to consider and calculate into the total payments stack return. If a vault provider is committed to event-based pricing, then they may be incentivized to maximize the “events” their vault products enact and price out to clients. This can result in a misalignment of interests between merchant and provider and undermine a good working relationship. We believe that vault users are justified in seeking transparency and attribution for all costs they are incurring through their vault. Event-based and bundled pricing models often make this difficult to obtain and act on. Even if this is available, it may be onerous to act on.

Spreedly is addressing this issue with its Advanced Vault by embedding rules and configurations that automatically identify where redundant costs are occurring and taking steps to minimize them. This active approach to managing client vaults automates vault management in significant ways, reducing costs and overhead for clients.

Spreedly’s Advanced Vault

Spreedly’s Advanced Vault offers new levels of value over traditional payment method management. This additional offering transforms the traditional payments vault from a digital storage space into an adaptable, intelligent service that improves transaction success and maximizes the value of your stored payment methods.

“The many complexities associated with payments makes it one of the areas in a business most ripe for efficiency gains,” said Jordan McKee, Research Director for Fintech at S&P Global Market Intelligence. “The most advanced merchants relentlessly pursue efficiencies across all aspects of their payment stack. This includes strategies that optimize the cost of acceptance, simplify payment operations, and provide actionable business insights.”

Built on Spreedly’s PCI-compliant vault, the new offering combines a modern set of features for card lifecycle management and network tokenization with rules and configurations designed to optimize how your payment methods are stored, refreshed and utilized. This new technology will actively monitor and maintain payment methods, enabling customers to: 

• Eliminate overpayment for unnecessary account updates
• Reduce duplicate payment methods
• Significantly improve data quality
• Automate best practices in vault management
• Decrease transaction decline rates

“It was clear that many of our current customers were incurring increased costs with their payment method retention strategies. The set of tools available, while valuable, required payment teams to create and manage the entire optimization process themselves,” explained Justin Benson, CEO at Spreedly. “Advanced Vault is the latest example of how Spreedly has invested in solutions that optimize payments for customers and enable them to get the most out of their stored payment credentials. We are offering an easy way to incorporate industry best practices while still creating the opportunity for savvy payment teams to add rules and configurations to best meet their unique needs.”

Advanced Vault Benefits

Benefits of the new Advanced Vault offering include:

Payment Method Lifecycle Optimization: Card details are kept up-to-date and “evergreen” using a combination of multiple, redundant AU services and network tokenization when available.

‍Active Management: Rules and configurations based on industry best-practices offer flexibility to suit each unique organization’s needs. Active management of the payment methods eliminates needless costs and stale entries.

Enrichment of Payment Details: Further expansion of payment attributes including BIN, Payment Account Reference (PAR), fraud integrations, payment method redactions, etc. are being actively added to the solution.

Why You Want To Optimize Your Vault

In this eBook, we have delved into the critical nuances of payment vaulting, highlighting the challenges businesses face with traditional methods as they scale. The limitations of generic vaulting solutions, ranging from reduced flexibility and lost revenue to the complexities of managing card updates and diminishing data quality, become more pronounced with organizational growth. This necessitates a shift towards more sophisticated and proactive payment method management systems.

Spreedly’s Advanced Vault represents a strategic response to these challenges, offering a comprehensive and evolved approach to payment data management. It combines essential features such as card lifecycle management and network tokenization with an active management framework. This system goes beyond traditional tokenization and storage, focusing on the optimization of payment methods, reduction of duplicate entries, and application of industry best practices in vault management.

The tangible benefits of adopting such an advanced vaulting are clear. Organizations can achieve significant cost savings, improve the quality of their payment data, and experience lower transaction decline rates. These improvements are crucial for maintaining a competitive edge in today's digital transaction environment, where efficiency, security, and customer experience are paramount.

The shift from basic payment vaulting to more advanced, intelligent solutions is not merely a choice but a strategic necessity for businesses looking to thrive in the digital marketplace. By adopting solutions like Spreedly’s Advanced Vault, businesses can transform their payment vaults from a basic operational requirement into a dynamic tool that actively contributes to their growth and success in the digital commerce landscape.

‍

Download the Vaulting eBook Below

‍