Subscription Business

Everything Your Subscription Business Needs to Know about Credit Card Vaulting

Serge Frigon

Since the subscription business model requires making recurring payments, it makes sense to keep customer credit card numbers on file. That way, you won’t have to wait for customers to provide their details before you charge them, which can cause delays in collecting your monthly recurring revenue. It also improves the customer experience by saving them the inconvenience of having to take action every time they need to pay your subscription pricing.

But of course, you can’t just chuck your existing customers’ credit card details into a spreadsheet and call it a day.

Subscription businesses that collect credit card data and process transactions via card are subject to stringent data security measures to prevent the sensitive info from ending up in the wrong hands. Non-compliance with these measures can attract fines of up to $100,000 per month, lawsuits, or even a ban on continuing business operations altogether.

And needless to say, saving sensitive data in a spreadsheet—even a password-protected one—isn’t secure enough for adhering to data security measures. What will help you comply with your business’s credit card data protection obligations, on the other hand, is to store such data in a PCI-compliant credit card vault.

Let’s take a look at what credit card vaults are, how they help keep your customer data secure, and your options for adopting a credit card vault for your subscription business.

What is a credit card vault?

Unlike what its name might suggest, a credit card vault isn’t a physical vault lined with rows of credit cards. Instead, it’s a virtual database that stores credit card data such as:

  • cardholder names,
  • 16-digit credit card numbers, and
  • expiration dates.

When your subscription business uses a credit card vault, your payment gateway will store “tokens” the vault has generated, with one token being a placeholder for one credit card.

Afterward, when you need to charge a certain credit card, your payment provider will present that card’s token to the credit card vault. The vault then checks whether it can map the token to a valid credit card in its database.

If yes, then all good! The vault tells the payment gateway it can run the charge.

How does a credit card vault keep your customers’ credit card data secure?

In order to securely and compliantly store credit card data, your business needs to follow the Payment Card Industry (PCI) Data Security Standard. 

Set by the PCI Security Standards Council, this standard requires credit card vault operators—or any business storing credit card info—to meet 12 strict core data security requirements such as:

  • installing and maintaining firewalls,
  • permitting data access only on a “need to know” basis, and
  • testing its security systems and processes regularly.

After implementing security processes to adhere to the relevant PCI compliance level, credit card vault operators must validate their setup either through engaging a qualified assessor or conducting a self-assessment to confirm compliance.

If it turns out certain PCI requirements haven’t been met, then the credit card vault operator must take remedial action to address the lapses.

Businesses that store sensitive credit card data in a non-PCI compliant card vault can face severe penalties such as the fines of up to $100,000 per month mentioned above.

Should you build your own credit card vault for your subscription business?

For the business that likes to maintain control of all its software systems, the idea of building and maintaining your own credit card vault in-house may be tempting. This is the internal credit card vault approach, which does give your business full control over your vault setup. Accordingly, you can have complete assurance that your vault will be PCI compliant—if you can pass PCI’s stringent and ongoing assessments, that is.

However, the flip side is you will also have full responsibility for establishing and maintaining PCI compliance for your vault in the first place. And this doesn’t mean simply checking off 12 boxes for the 12 main PCI requirements: each requirement has its own various sub-requirements, so you’re looking at complying with over 200 sub-requirements in total.

Efforts to become fully PCI Level 1-compliant can span years, with many businesses failing on their first or even second attempt. On the other hand, if your business outsources the responsibility of storing sensitive data to a third-party vault, passing the PCI assessment can become a lot simpler and quicker.

Don’t forget that just one slip-up in PCI compliance could be costly for your subscription business.

If hackers manage to crack open your internal credit card vault and make away with your customers’ sensitive data, your subscription business could face hefty fines in the amounts discussed previously—or worse.

Your subscription business could also face lawsuits from customers that chalked up losses after the data breach. Finally, the negative publicity could be difficult to shake, as customers shy away from entrusting you with their credit card details—causing your revenue and cash flow to take a hit.

The 2020 edition of Verizon’s Payment Security Report found that only 27.9% of surveyed organizations were able to achieve 100% PCI compliance during their interim compliance validation. Are you confident in your ability to be one of these organizations as you operate an internal credit card vault?

Secure a safe and smooth billing experience by using recurring billing software as your external credit card vault

DIY-ing an internal credit card vault isn’t impossible, but for most subscription companies, it’s simply not worth the risk or the drain on resources. The alternative is to work with an external credit card vault in which an expert third party maintains the vault for you.

By doing so, you can offload the more tedious PCI compliance requirements to dedicated data security specialists. In fact, these experts are obliged to provide you with proof that their vaults pass muster, whether after an annual or an ad hoc PCI assessment.

With the peace of mind that that comes with having pros to help secure your customers’ credit card data, you can focus on developing the best products for your subscription business.

And you may be able to find a solution that both vaults your customers’ payment data and simplifies your billing processes: a recurring billing solution for the subscription-based business model can act as an external credit card vault. Many modern recurring billing software options have a PCI-compliant credit card vault baked in. Using one for your recurring revenue business gives you the benefits of strong data security and powerful billing features, such as:

  • automated invoicing for sending accurate, timely invoices on autopilot,
  • self-service portals for empowering customers to update their credit card details on their own, and
  • automatic credit card retries for recovering failed payments.

Leveraging all these features, your subscription business will be in good shape to securely facilitate smooth recurring billing, no matter the size of your finance team or your customer base. You’ll be able to sleep soundly at night too, knowing that your customers’ credit card data is safe.


Written by:

Serge Frigon
Serge Frigon
Director of Product, Stax Bill

Serge Frigon is Stax Bill’s Director of Product. He is passionate about improving billing processes for SaaS companies. With 20+ years in SaaS and billing software systems, Serge has a first-hand view of how important financial insights can be to the health of a company.