What is a SaaS Payment Vault?

A SaaS payment vault is essentially a cloud storage system where tokenized payment card data is captured, encrypted, and managed. A token, a non-sensitive reference, is stored in your system while the vault keeps the real Primary Account Number (PAN) in a highly secure, controlled, and audited environment.

This is relevant due to the ongoing association of card data with risk factors. The PCI DSS scope will include all systems that come into contact with a raw PAN. Exclusive data storage in the vault relates to the level of compliance needed and may correlate with the incidence of security breaches.

Forse l'aspetto più importante di un vault di pagamento neutrale è la portabilità dei dati della carta, il che significa che una volta tokenizzate le credenziali della carta, è possibile passare la tokenizzazione da un processore di pagamento all'altro senza chiedere ai clienti di reinserire i dettagli della loro carta. Senza un vault, i token sono tipicamente validi e di proprietà di un singolo fornitore di servizi di pagamento (PSP). La validità dei token attuali è collegata al processore; pertanto, un cambiamento potrebbe avere un impatto sulla ri-registrazione del cliente. Questa dipendenza, il "lock-in" del processore, può dare al tuo PSP esistente un vantaggio durante le negoziazioni.

A neutral vault prevents such dependency. Regardless of the processor selected for transactions, the tokens will consistently unlock the same underlying PAN, potentially allowing for consideration of factors such as cost, approval rate, or location.

There are four main vault architectures, each with different trade-offs:

•       PSP-Owned Vault — The processor manages the vault. Easy to set up, but creates lock-in; portability is limited or non-existent.
•       Neutral / Network Vault — An independent third party stores PANs and issues processor-agnostic tokens. The features include portability and are implemented by enterprise merchants and subscription services.
•       Vault-As-A-Service (VSaaS) — A SaaS model where a specialist vendor provides the vault as a standalone API layer. Flexible integration can be implemented concurrently with multi-processor routing.
•       On-Premises Vault — The merchant maintains its own vault infrastructure, offering complete control but necessitating considerable PCI investment and continuous operational expenses.

VSaaS, or a neutral vault, may represent one possible approach for many SaaS businesses, potentially impacting the equilibrium between control and compliance efficiency.

Once you vault the cardholder data, you never release it to application servers, databases, or logs, etc. This normally results in an 80–90% reduction in PCI scope. Instead of a full Level 1 on-site audit that covers many systems, a vaulted merchant may be eligible for a simpler SAQ A or SAQ A-EP assessment that only covers the tokenization touchpoints.

In the compliance sector, vault companies often undertake demanding tasks, including maintaining a secure environment, undergoing PCI DSS audits, and supplying compliance documentation. Their compliance posture can serve as a foundation and affect the resources required for establishing your own.

It’s​‍​‌‍​‍‌​‍​‌‍​‍‌ most effective to have a vault sitting at the very center of your recurring payments stack:

•       Billing System — A billing engine submits the charging request using a token. The vault develops the token into a PAN and only then gives it to the processor. The billing system is designed to avoid direct access to card data.
•       Account Updater — Card networks (Visa, Mastercard) employ Account Updater services that supply the new card numbers and expiry dates when cards are reissued. A well-integrated vault can renew tokens with updated credentials, impacting customer churn (related to involuntary factors).

The integration of these features establishes a system where tokens are processed, charges are executed, and card information is updated automatically.

Some questions to consider:

•       Is there a correlation between customer churn and involuntary events such as card expiration or reissuance in your current business operations?
•       Utilizing a single processor could present considerations for rate negotiation or flow redirection?
•       As you add systems that handle card data, is your PCI compliance scope increasing?

In such cases, utilizing a vault could have an impact on ROI, detailed as follows:

•       Reducing PCI Scope — When fewer systems are in scope for PCI, it results in less audit expenditure, among other benefits, fewer remediation cycles, and confined breach liability.
•       Approval Rate — Employing Aggiornamento Account and considering retry logic typically has an authorization rate increase (of approximately 2–5 percentage points), a difference that can be relevant at scale.
•       Processor Portability — Changing terms with the current processore or directing certain BINs to card networks that offer higher approval rates is desirable.
•       Lowering Churn – Timely credential changes can reduce “card declined” errors, potentially affecting subscription cancellation tassi.
•       Market Expansion — Espansione del mercato associated with connecting the vault to multiple processors, perhaps enabling the addition of local acquirers without a full payment stack redesign.