A vault with credit cards stored inside, symbolizing a PCI vault for online payments

How Your PCI Vault Makes or Breaks Customer Trust

Let’s face it: The majority of customers don’t trust your payment system just because. You have to earn their trust. 

For German e-commerce, that’s strikingly true. According to statista, 51% of German customers name ”Security and Trust Issues at Checkout” as the prime reason why they don’t shop on an online platform. Over one third of them also feel pushed off by a ”Long and Confusing Payment Process” (37%). And so, companies are between a rock and a hard place: How to speed up and simplify the checkout process without compromising security? 

Credit card tokenization is one of the key ingredients of the remedy. During tokenization a so-called token replaces the clear-text card details, acting as a stand-in for the full credit card. This has a number of advantages such as: 

  • Saving the customer’s card details for subsequent payments
  • Eliminating the reentering of card information during failover rerouting to a different PSP 
  • Reducing the risk of data breaches, increasing customer trust
  • And thus providing a frictionless, satisfying user experience.

To make this work, however, your company’s payment system must be able to call up a secure, PCI DSS-compliant storage, a Vault. The Vault ensures that customer’s card data is tokenized and securely stored and will not fall into the wrong hands. In the following paragraphs we will highlight a path to get a fully functioning Vault for your business. 

In detail, this article will answer: 

Curtains up! 

The Core Functions of a PCI Vault

A Vault is a PCI-compliant storage, meant to tokenize and securely store customers’ sensitive credit card information in an encrypted form. This includes all sensitive authorization data, which is PANs and (temporarily) CVVs. When a customer registers a card on your platform, your payment system sends it to the Vault which encrypts and stores the card data and creates a unique token. The token is safe for storage within the surrounding ecosystem. When a purchase takes place, this token takes the place of the actual credit card details in your payment system. The Vault finds the associated credit card and passes the information on to a PSP adapter in the PCI environment. This adapter then transmits the decrypted credit card data to the PSP or acquirer for payment processing. 

A flow diagram showing the process of tokenizing a credit card in the Finergizer vault

Vaults can either be run on-premise or as-a-service. In any case, it should stay clearly separated from the remainder of the payment system. Restricting access to the Vault and the data within is crucial and your payment system architecture must pay attention to this. The more system components the vault ecosystem contains, the more extensive (and expensive) the PCI audit will be. Companies would want to keep the scope as limited as possible. What they have to gain is advanced security: Their payment platform doesn’t interact with the actual card data, even when the customer enters it for the first time. Thus it’s very hard for malicious actors to obtain it. 

Aside from credit card data, Vaults can also store other kinds of “data secrets”, such as passwords, API keys or encryption keys. The following cases will only look at Vaults storing credit card information.

PCI DSS and Vaults

A vault is often called a “PCI environment”. This term refers to an environment that complies with the regulations of PCI DSS, i.e. the Payment Card Industry Data Security Standard. This standard, imposed by the major credit card companies, has the goal of reducing credit card fraud and security issues. In regular specific audits and review processes, any company processing credit card data must ensure its compliance.

Tokenization Environments: On-Premise vs. SaaS

For businesses integration of a secure credit card vault boils down to some options with different implications. Decision makers have to choose according to their overall strategy and preferences. 

SaaS Vaults (PSP-Specific Vaults, Cross-PSP Vaults)

PSP-Specific Vaults

In the SaaS scenario, the vault would be hosted outside of the company’s system and called during checkout. In many regards, it’s the most common option: Businesses who outsource their payments to a single payment service provider are typically bound to their PSP’s vault system as well. PSP-specific tokens cannot be used at a different PSP. That’s not a massive problem if the company settles for payments from a single source, but this in turn would then lead to vendor lock-in.  

When a company wants to run a payment orchestration platform with multiple PSPs, this is no longer an option. Leaving credit cards to the specific vaults of integrated PSPs would undermine one of the key advantages of payment orchestration: smart payment routing. PSP-specific tokens would not be accepted by other PSPs, but they would have to, if transactions need to switch to a different processor without an interaction with the card holder. 

Cross-PSP Vaults

In this case, companies have to rely on systems that enable PSP-agnostic tokens. Third-party vaults, operated as software-as-a-service ventures, can store such tokens. Credit card data is still stored externally and called when needed. 

Both SaaS vault options are convenient option for businesses, due to a number of reasons: 

  • Easier Set-Up and Maintenance: While not exactly plug-and-pay solutions, typically, SaaS vaults are manageable regarding the integration effort. Companies don’t have to build up fully fledged development teams to create a vault system from scratch and to maintain it thereafter. 
  • Relinquished Responsibilities: When relying on an external vault solution, companies also put the main part of the liability on the provider. Vault service providers are responsible for PCI compliance and are held accountable in case of security breaches, fraud episodes or non-compliance. 
  • Domain Knowledge: Companies specialized in creating, running and maintaining vault solutions are familiar with the newest technological advances in payment security and can offer them in their products. Companies outside their field must first acquire extensive domain knowledge. 
A flow diagram showing the process of paying with a token derived from a credit card in the Finergizer vault

On-Premise Vaults (Build vs. Buy)

Build

Instead of settling for a SaaS solution, companies may opt to create their own tokenization processes and integrate an own credit card data vault into their payment infrastructure. This choice has a lot of implications. For starters, a company needs a  team well-versed in tokenization, PCI-compliance and payment security protocols. But the scope of such a project is massive in itself: The software team has to handle complex vault architecture, development and deployment efforts, while also taking care of the documentation. And once it’s all done regular maintenance comes on top. 

However, the benefits of establishing an in-house vault are substantial:

  • Customization and Update Policy: Companies settling for an in-house vault solution possess complete autonomy over its integration within their payment infrastructure. They can tailor the system to suit their specific needs and priorities, without being beholden to the strategic decisions of external providers. Additionally, they retain control over the timing and nature of updates, ensuring alignment with their business objectives.
  • Data Ownership: Perhaps the foremost rationale for pursuing an in-house solution. By housing the vault internally, companies maintain a centralized repository for sensitive information, affording much more control and oversight. This proves essential, especially in jurisdictions with stringent data localization regulations mandating that customer data remain within national borders. 

Buy  (The Finergizer Option)

Building an in-house PCI DSS vault will always entail some additional work when compared to using a SaaS solution. The good news is, that on-premise third-party solutions exist that grant companies the best of both worlds: Easy and quick implementation without building everything from scratch, but enough options to allow for rapid scaling and high customization. 

We built the Finergizer Vault Element to be exactly such a solution. 

It is a comprehensive PCI compliance-ready card data storage system that seamlessly integrates with digital payment systems no matter the tech stack. Finergizer helps your business with:

Cutting Development Expenses

Instead of galloping costs due to high development efforts and ongoing maintenance, you can use Finergizer Vault offering a ready-to-use credit card storage system that will fit into your technology landscape. The software is a product by trimplement, a company with over a decade of experience in creating secure and reliable payment solutions. Software by trimplement is currently in use in active payment systems of top tier companies such as BMW, Delivery Hero, Deutsche Bank and Tide.   

Achieving Compliance Rapidly

Setting up a PCI compliant vault from scratch will take up much development time. On top of that, when using an in-house secure credit card storage, you will have to go through a PCI audit. 

Finergizer Vault was built by software engineers that have already implemented PCI DSS compliant Vaults a couple of times in the past. Finergizer Vault is compliance-ready, so you can bring your payment system to the finish line quickly, saving several months of time that you would have spent on the design and the development of an own Vault from scratch. 

Scaling Up at the Pace of Growth

With its microservice architecture, Finergizer Vault can scale quickly and won’t bow down even in high-load situations, e.g. when transaction numbers are springing up during peak times. 

PSP-Agnostic Payment Processing

The tokenization system of the Finergizer Vault generates PSP-agnostic tokens. This allows you to easily connect your payment system to any PSPs that are popular with your customers. Currently in the works is support of Network Tokens, which Finergizer will be able to provide soon. Network tokens are tokens provided by the schemes. Increased successful authorization rates and better fraud protection add to those benefits.

Regular Maintenance and Updates 

Finergizer Vault is here to assist you in what you do best: Save time and manpower and focus on your core business. Using Finergizer Vault, that’s one less worry. 

And that’s just a short overview. You can get the full picture on the Finergizer Page.

Christoph Laurer

Christoph Laurer is the Content Editor at trimplement, taking care of Social Media, SEO and analytics as an added bonus. With his storytelling, graphic and video editing skills, honed by working for different industries, he distils fintech and banking topics down to legible form. If you don’t find Christoph at his writing desk, you will probably meet him at the cinema.

Leave a Reply

Your email address will not be published. Required fields are marked *