PCI Compliant Card Vaulting

Secure Credit Card Storage

In order to accept credit card payments, you need to comply with PCI DSS. This includes the obligation to store card data securely. As setting up and maintaining your own secure storage is costly and complex, most merchants rely on third party credit card vault providers to store this sensitive information. IXOPAY offers a PCI DSS Level 1 independent credit card vault, reducing your own PCI DSS scope and costs.

IXOPAY's PCI Compliant Vault

Use IXOPAY’s PCI Vault to ensure you adhere to the rigorous standards of the Payment Card Industry Data Security Standard (PCI DSS). Our PCI Vault is PCI-DSS Level 1 certified, ensuring the secure storage of customer credit card data via state of the art encryption. Storing payment information in our vault significantly reduces your PCI DSS scope and costs, while protecting your customers from the risk of data breaches. IXOPAY is also 3DS certified, delivering an additional layer of security to card transactions.

Use IXOPAY’s PCI Vault to:

Store card data securely in encrypted form
Tokenize payment details for additional security
Process card on file transactions including recurring payments with any PSP
Reduce your PCI DSS scope and liability
Reduce the risk of data breaches
Manage a card’s lifecycle, ensuring card details are up-to-date

Credit card payments remain popular

Credit card payments remain popular for online purchases. However, merchants and businesses that process and store credit card transactions need to comply with PCI DSS requirements. These are mandated by the credit card schemes to ensure that card details are handled and stored securely.

IXOPAY's PCI Vault helps your business meet these requirements, while reducing your PCI DSS scope and costs. This allows you to process card on file transactions and streamlines your checkout process by allowing your customers to store payment information for reuse.

What is PCI DSS?

The Payment Card Industry Data Security Standard (PCI DSS) defines baseline requirements and best practices for protecting credit card account data and ensuring secure storage. The guidelines mandate specific security protocols and processes to mitigate the risk of data breaches and safeguard payment data. Any business that processes or stores credit or debit cards must comply with PCI DSS. Using a payment orchestration platform like IXOPAY as your PCI storage provider makes complying with these requirements much easier and reduces costs.

How can merchants comply with PCI DSS?

Merchants who store and process credit cards directly need to meet higher levels of PCI DSS compliance. In total, there are four levels (1-4, with 1 being the highest), with the level required depending on your transactions volume. Outsourcing the storage of credit card details to IXOPAY significantly reduces your PCI DSS scope. Instead of requiring costly state-of-the-art secure infrastructure and annual recertification audits, you will typically only need to complete an annual self-assessment questionnaire.

IXOPAY’s PCI-compliant vault is PCI DSS Level 1 certified.

Reduce Your PCI DSS Scope and Costs with IXOPAY

PCI DSS imposes strict requirements on storing card details. The PAN must be encrypted and stored in a secure environment. Enterprises that store PAN data most deploy appropriate security measures and must undergo annual recertification. These requirements can easily incur costs of hundreds of thousands of euros per year. Storing sensitive payment data in IXOPAY’s secure PCI Vault reduces your PCI DSS scope and costs significantly, and eliminates the need for annual audits.

IXOPAY uses tokenization to ensure that you can reuse stored card details for card on file transactions and automatic recurring payments. Tokens eliminate the need to store sensitive card details locally, reducing your PCI DSS scope. IXOPAY tokens allow tokenized cards to be used with any payment provider connected via IXOPAY.

PCI transaction flow: The merchant sends credit card details that are stored in a secure PCI vault, and receives a token that is used for subsequent card on file payments using the same card.

Avoid Vendor Lock-in with IXOPAY

Payment service providers offer their own vaulting and tokenization services. However, these tokens are only valid for that provider. Cards tokenized this way cannot be used for transactions with other PSPs, leading to vendor lock-in. Furthermore, if your primary PSP is temporarily unavailable, terminates your contract or goes out of business, you will be unable to use tokenized card data to reroute the transaction to an alternative provider. Tokens issued directly by a PSP thus increases your dependence on that PSP and makes it harder to switch providers.

Cards tokenized by IXOPAY and stored in our independent credit card vault can be used with any PSP or acquirer integrated via IXOPAY. If your primary provider experiences an outage or issues a soft decline, you can resubmit the same transaction to a different provider using the same token, increasing your conversion rate. Tokenizing card data with IXOPAY allows you to leverage the full power of a multi-acquirer setup, seamlessly integrating multiple payment providers through a single payment gateway.

Vendor dependency with and without IXOPAY

Payment orchestration simplifies the process of integrating multiple PSPs; tokenized payment instruments can be used with any provider

Import and Export Tokenized Card Details as Needed

If you are migrating to IXOPAY and already have tokenized credit card details with your current payment provider, we can help you import this data into IXOPAY. This will allow your customers to continue using their stored payment methods.

At IXOPAY, we believe strongly in the independence of merchants to make their own decisions regarding payments, which is why we give you the means of exporting all your tokenized payment data should you decide to leave IXOPAY and move to another provider.

Ensure Card Details are Always Current

Card on file transactions, recurring payments and other automatic payments rely on up-to-date card details. Card details can change as the result of a card being reissued, e.g. due to it expiring or being lost. To ensure that card details stored in IXOPAY’s PCI Vault are up-to-date:

IXOPAY’s Account Updater allows you to automatically request up-to-date card details from the network schemes

Network tokenization allows you to use tokens issued by the card schemes (Visa, Mastercard etc.) directly; these tokens always reference the latest card details managed by the schemes themselves

As cards stored in the IXOPAY PCI Vault can be used with any PSP, this card lifecycle management only needs to be performed once for all PSPs.

Interested in learning more?

Let's schedule a tech demo!

Partner	Name	Description	Duration
IXOPAY GmbH	cookiesConsent	Cookie Banner. Stores your cookie settings.	12 Months
IXOPAY GmbH	Visitor Filter	User centric security cookie to detect authentication abuses. Filters out computer/bot generated Website requests.	30 Minutes
Google Ireland Limited	reCAPTCHA	User centric security cookie to detect if a human being or a computer is making a specific entry in our contact or newsletter form.	6 Months
Cloudflare Inc.	Security Cookie	Used by Cloudflare (Website Security Network) to identify trusted web traffic, and protect our website against malicious activity (see Cloudflare's Cookie Informations).	30 minutes

Partner	Name	Description	Duration
Google Ireland Limited	Google Analytics	Cookies are used to collect data on how visitors interact with our website. It helps us analyze website traffic and user behavior, providing insights to improve user experience. It uses identifiers like Client IDs to track user interactions across sessions (also see Google Privacy & Terms).	2 years
Microsoft Ireland Operations Limited	Clarity	Analytical service capturing your interactions on the Website such as how the page has rendered and what interactions you had on the Website (surfing behavior: mouse movements, clicks, scrolls). Microsoft collects or receives personal data from us to provide Microsoft Advertising (see Microsoft Privacy Statements). Sensitive content such as passwords, usernames, and user input are masked before sending to Microsoft.	12 months
Dealfront Group GmbH	Leadfeeder	Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Leadfeeder only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visit data is aggregated Dealfront Group GmbH / Analytical service that collects the visitor IP address to detect corporate visits and their geographic location. Dealfront only shows company visits, automatically filtering out all users visiting from residential IP addresses. All visitor data is aggregated on the company level (no reference to natural persons). Via a connection to Google Analytics, Dealfront shows company visitors' interactions on the Website (pages viewed, visitor source and duration of session). Dealfront also enriches that company data with contact data for individuals from publicly available data sources (eg. LinkedIn).	24 months
Salesforce, Inc.	Salesforce Account Engagement (Pardot)	Salesforce cookies are used to support the functionality and performance of our customer relationship management (CRM) system. They help maintain session continuity, track user preferences, and store authentication details to ensure a secure and seamless user experience. These cookies also assist in tracking user interactions to improve service delivery and customer support. Also see Salesforce Cookie Information.	24 Months
ZoomInfo Technologies LLC	ZoomInfo	ZoomInfo uses cookies to enhance its B2B intelligence services by collecting and organizing data about website visitors. These cookies help track user sessions, visitor interactions, and company-level engagement to provide businesses with insights into potential leads and decision-makers. The data collected by these cookies is used solely for business-related purposes, namely lead generation and improving targeted marketing efforts.	730 days

Partner	Name	Description	Duration
Google Ireland Limited	Google Ads	Google Ads uses conversion cookies to track and measure the effectiveness of advertisements across our website and those of our marketing and advertising partners. These cookies help assess how visitors interact with our ads, enabling us to optimize campaigns and enhance targeting.	3 months
Microsoft Ireland Operations Limited	Universal Event Tracking (UET)	Conversion-cookie set by the service Microsoft Advertising for assessing advertisement efficiency across our Websites and on websites of our marketing- & advertising partners. This cookie helps monitor user interactions and conversions, providing insights to optimize ad performance. The cookie and your IP address are transmitted to Microsoft with each HTTP request, not just through UET.	13 Months
Wistia, Inc.	Video Player	Video hosting platform that collects and analyzes data on video performance and user interaction, offering insights to help users better understand how their content is being consumed.	1 Day
6sense Insights, Inc.	6sense Predictive	6sense uses cookies to track and analyze visitor interactions, providing predictive insights and identifying potential business opportunities. These cookies collect information on user sessions, visitor behavior, and company identification. The data collected, including session activity and user identifiers, supports marketing and sales efforts by enabling targeted engagement strategies.	24 Months
Salesloft, Inc.	Salesloft CRM	Salesloft is a sales engagement platform that uses cookies to track user interactions, manage customer relationships, and streamline sales operations. These cookies enable session tracking, secure authentication, and multi-site tracking. For example, when a recipient clicks a link tracked by Live Web Tracking on scout.salesloft.com, it allows Salesloft to track activity across different websites, providing insights into customer engagement.	1000 Days