Storing Payment Details Securely in the IXOPAY Vault

Protecting sensitive payment details like credit card numbers is crucial to online merchants. The IXOPAY vault provides a means of securing payment details like credit card numbers, international bank account numbers and alternative payment methods.

Secure Payment Details with Tokenization

Storing payment details is required for card on file transactions and subscription payments. Stored payment details streamline the checkout process for return customers, allowing them to simply choose a previously used payment method from a list. Customers can also set a payment method as their preferred method, and this method can automatically be pre-selected. Alternatively, the last used payment method can be selected by default. This removes the need to re-enter payment details and also eliminates the chance of entering incorrect payment details, causing the transaction to fail.

In order to comply with PCI DSS, credit card information must be stored in a secure PCI DSS certified vault. IXOPAY offers a PCI DSS Level 1 secure vault that both stores and tokenizes payment details. Tokenization is a security mechanism that replaces sensitive payment details - like credit card numbers - with a unique and random token that serves as a reference. As the token does not contain any underlying payment information, it can be stored by merchants without increasing their PCI DSS scope.

Merchants generally want to avoid handling any sensitive payment details directly, as doing so incurs significant overheads and require annual audits in order to meet PCI DSS requirements for cards. Outsourcing the storage to a third party results in significant savings, as the cost of PCI DSS certification can easily run into the hundreds of thousands of euros over time.

When submitting a transaction request using a payment instrument stored in the vault, the merchant simply includes the token in the transaction request. IXOPAY then uses this token to retrieve the actual payment details associated with the token and forward those when processing the transaction.

Tokens reference payment details stored in the IXOPAY vault

More Than Just Credit Cards

The IXOPAY vault is not only able to store credit card details in line with the PCI DSS requirements, but also IBANs and details on alternative payment methods like Google Pay and Apple Pay. To ensure that credit card details are neither stored nor handled directly by the merchant, special fields in their own iframe are used to enter the PAN and CVV on checkout pages. The data entered in these fields is forwarded directly to IXOPAY and is thus never visible to the merchant.

Whenever a customer completes a payment using a payment instrument that can be stored in the IXOPAY vault, you can offer them the option of saving that payment instrument for reuse. If this option is checked, the payment details are stored in the IXOPAY vault and a token is generated, which can be stored by the merchant to reference the payment instrument in future transactions.

Once payment details have been stored and linked to a customer’s account (using customer profiles in IXOPAY), you can allow customers to reuse the payment method at checkout without needing to re-enter their payment details. Consumers can set a payment instrument as their preferred option, which can be selected by default on the checkout page.

Having access to payment details is also required for recurring payments, e.g. for subscriptions. As these customers need to be billed in regular intervals (e.g. monthly), the payment details need to be stored in order to automatically process the subscription fees. This ensures regular and timely payment without needing to involve the customer in the process.

Card Updater: Ensuring Up-to-date Payment Details

One challenge that merchants face when storing payment details is the possibility that the details can change over time. This could be due to a card being reissued, for example. IXOPAY’s card updater allows you to automatically query credit cards stored in the IXOPAY vault for any changes to the underlying payment details and automatically update the stored information if there have been any changes.

A similar mechanism is also available in the form of network tokens issued by the credit card schemes. The schemes issue merchant-specific tokens for credit cards that are maintained by the schemes themselves. Even if the underlying credit card details are changed, the token continues to reference the card, meaning no updates are required on the merchant’s side. IXOPAY can request and manage these network tokens.

The Value of Independence

Merchants can also import existing payment instruments into the IXOPAY vault, allowing them to migrate from an existing system to IXOPAY’s payment orchestration platform. IXOPAY generates tokens for these imported payment instruments and provides merchants with information on which new tokens replace which old tokens. This allows merchants to update the tokens they have stored locally and ensures that customers are unaffected by the decision to migrate and do not need to update their payment details. Payment instruments that can be stored in the IXOPAY vault - credit cards, IBANs and alternative payment methods - can all be imported.

One of the major advantages of using IXOPAY for tokenization is that the IXOPAY tokens are not specific to a single payments provider. When PSPs issue merchants with a token, that token is only valid for transactions processed by that specific PSP. In contrast, tokens issued by the IXOPAY platform can be used with transactions that are forwarded to any of the hundreds of payment providers and acquirers supported by the platform. This is because converting the token to payment details happens before the transaction is sent to the payment provider or acquirer.

This can be particularly beneficial when using cascading and smart routing in a multi-acquirer setup, as transactions may be routed to different payment providers depending on the situation. If one PSP is currently unreachable, or if the merchant’s relationship with a PSP changes (contract is terminated by the PSP or the fees change, making the provider more or less attractive), the transaction can still be routed to an alternative provider using the token and stored payment credentials. IXOPAY thus helps avoid merchants from becoming highly dependent on a single provider (provider lock-in), giving them the freedom to pick and choose from the best payment providers for that merchant’s setup.

Advantages with IXOPAY Card Vaulting

IXOPAY’s secure vault delivers a number of benefits for merchants. It reduces their dependence on an individual PSP or acquirer by generating tokens that can be used with any provider connected to IXOPAY. This is a significant benefit for merchants using a multi-acquirer setup to help increase authorization rates, reduce costs and safeguard their business with fallback options. Storing payment details in a secure vault provides a high level of security and helps merchants meet their PCI DSS requirements while keeping down costs. IXOPAY’s card updater ensures that you keep credit card details up-to-date, which is vital to ensuring that recurring payments are processed successfully and customers are not required to update their card details if they are issued a new card.

Customers’ payment instruments can be shared across multiple merchants in IXOPAY’s tenant hierarchy using customer profiles. Payment instruments (credit cards, IBANs etc.) stored in the customer’s profile can be presented to the customer at checkout allowing them to choose which one to use and eliminating the need to enter their payment details again. Customer profiles also allow merchants to store the customer’s preferred payment method, as well as providing access to a customer’s full transaction history.

If you are interested in learning more about the IXOPAY vault and how IXOPAY can streamline your payment processes, get in touch!

Get in Touch

About IXOPAY

IXOPAY is a best-of-breed payment orchestration platform offering flexible and independent global payment processing options. Fully PCI-DSS Level 1 certified and highly scalable, IXOPAY caters to the needs of enterprise merchants and white label clients, including payment service providers (PSPs), acquirers and independent sales organizations (ISOs). Built upon modern, easily extendable architecture, IXOPAY provides smart transaction routing with cascading, state-of-the-art risk and fraud management, fully automated reconciliation and settlements processing, comprehensive reporting and access to hundreds of acquirers, payment service providers and alternative payment methods.

IXOPAY is trusted by national and international enterprises and has offices in Austria and the USA. The owner-led and financed company has grown from 2 to nearly 100 employees by delivering innovative eCommerce solutions.

For more information, visit: https://www.ixopay.com

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	_fm	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	cf_clearance	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	_ga	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	2 years
Google Ireland Limited	_gid	Analytical cookie set by the service Google Analytics used to distinguish visitors. Collects data about number of visits and user journey.	24 h
Google Ireland Limited	_gat_ua-keynumber	Analytical cookie set by the service Google Analytics used to throttle the request rate, limiting the collection of data on Websites with high traffic.	Session
Google Ireland Limited	_ga_container-id	Cookie set by the service Google Analytics 4. The cookie is used to persist session state.	12 month
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	_lfa	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months

Partner	Name	Description	Duration
Google Ireland Limited	_gcl_au	Conversion-cookie set by the service Google Ads for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners.	3 months
Google Ireland Limited	_gac_gb_container-id	Cookie which connects Google Analytics und Google Ads. Google Ads website conversion tags will read this cookie.	90 days
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. In general, the cookie in the relevant domain and your IP address are passed to Microsoft with every http request and not just via UET.	13 months