Why vaulting your credit card externally is super important for recurring payments?

Posted by
Summary: Subscription based businesses can choose to store their users’ credit card data in their vaults or have their payment service providers store the data on their behalf. What happens to the data when you want to move to a different payment provider?



Credit Card VaultSubscription and recurring payments businesses need regular access to their customer’s credit card information to charge for the services purchased. The data can be held by the company at its storage vault or by a third party company.

Storing customer credit card data in-house is expensive for any startup. The cons of building your own data storage vault outweigh the pros.  So, the obvious choice is to store the data externally. But what happens to your user’s credit card data when you want to change your payment gateways processor?

If you have access to the data, you can move with it to your new provider, ensuring uninterrupted payments to your business. Otherwise, you will have to contact your customers all over again and request them to provide the data. For companies that have thousands of users, this can be a huge inconvenience.

Credit card data has to be stored in industry standard infrastructure that is PCI DSS compliant. However, some payment providers use PCI compliance as a smokescreen not to give you your customer data. The truth is most credit card data can be transferred, but only from one PCI compliant service provider to another.

Should You Vault Cards Internally or Use an External Provider?

You do not have to use an external provider to vault your credit cards. If you have the time and resources, you can apply for PCI compliance to be allowed to store your customer’s credit card data. PCI Compliance Guide has comprehensive information on PCI compliance matters, who it applies to and the requirements for achieving compliance.

However, achieving PCI compliance can be expensive for startups and small businesses. Setting up and maintaining the required highly secure infrastructures is expensive and takes time. The infrastructure has to be constantly maintained to ensure it is secure from unauthorized access. With the rapid changes in payments security technologies, companies that seek PCI compliance need to be ahead of hackers that may be looking to take advantage of any security flaws in their infrastructure.

Companies that fail to adhere to PCI compliance standards risk huge fines of up to $500,000 per incident and possible banning from accepting credit cards payments.

Vaulting your Credit Card With an External Payment Provider

Most startups and small businesses can be well served by PCI compliant third party payment providers that can store their customer’s credit card data.

But being PCI compliant is not the only thing you should check with a payments provider. The ability to transfer your customer data is also crucial for your business. Vendors that “lock-in” merchants to their gateways can have a major negative impact on your business should you need to change providers.

Data portability was first championed by Braintree and has become an industry standard. Your recurring payments business requires you to automatically charge the customer’s credit card in your file. Should you lose this data, either due to vendor “lock-in” or other ways, customers can be disturbed when you ask them to submit their credit card details again.

Not all payment providers offer data portability.

In theory, data portability seems a simple straight-forward process. However, in practice, this is hardly the case. Moving the data from one provider to another in a secure manner can be a clunky process. To begin with, data has to be re-mapped and before you shut down your older service, your new service has to be up and running for new transactions. These inconveniences are however more bearable than having to lose all your data. Also, some payment service providers charge some fees to do this work. So, you should work with the probability of paying extra cost.

Will You Receive Your Customer Data in a .CSV file?

Many merchants think that when they are with a company that allows data portability, they will receive the data in a .CSV or Excel file. This is not the case. Due to PCI rules, customer’s credit card data can only be transferred to another PCI compliant party. Your current provider will submit the data to the vendor you prefer through secure means to prevent unauthorized access to the data by third parties.

Data portability is like insurance for merchants. When you need to move providers, you will realize the importance of having working with a service provider that allows data portability.


Posted on November 7, 2013

ChargeBee Recurring Billing and Invoicing for Online Business

30+ payment gateways supported globally.

  • Ryan

    John, this is a great article! Thank you.

    • John Solomon

      Thanks Ryan. Glad you liked it.


Now that you have read all these, there is more to ChargeBee you will enjoy reading.

Customize your payment pages with themes
EU VAT released!
Email preview, webhook event selection and a new report