SAQ A descoping
Network token lifecycle
API-first proxy
Dedicated infrastructure
app.hellgate.io/guardian/tokens
Built on the Hellgate Cloud Platform. Works with the card networks and PSPs you already use.
Visa Token Service
Mastercard MDES
Any PSP or acquirer
The problem
Storing card data is risky and costly.
PCI compliance shouldn’t hold back innovation, but most teams still juggle vaulting, audits, and token management on their own.
PCI compliance overhead
SAQ D means hundreds of controls, file-integrity monitoring, and annual on-site audits, consuming engineering time you would rather spend on product.
Data fragmentation and exposure
Sensitive card data spread across multiple systems widens your attack surface, and your compliance scope, with every new integration.
Vendor lock-in
Proprietary tokens chain your volume to one processor. You can’t route, A/B test acquirers, or migrate without forcing customers to re-enter cards.
Why Guardian
One secure layer between you and every card credential.
A universal vault and tokenization system, built for the complex part of the payments world.
Merchant
Guardian
Vault and tokenization
PSPs and acquirers
Out of PCI scope by design
A proxy architecture keeps raw card data off your servers, dropping you from SAQ D to SAQ A on dedicated infrastructure provisioned for you.
Tokens you own
Universal tokens work with any PSP or acquirer, so you can route, fail over, and migrate volume without ever touching a credential.
One simple integration
A single API-first integration covers vaulting, network tokens, account updater, and identity verification.
Integration
Two ways to plug in. Both invisible to your customers.
Call Guardian directly, or slot its proxy transparently between your checkout and your PSP.
API mode
A direct call to Guardian’s API to vault, tokenize, or resolve a credential.
Vault a card and receive a universal Hellgate token
Network tokens provisioned and refreshed automatically
Identity and verification run inline or asynchronously
Proxy mode
Guardian’s proxy sits transparently between your checkout and your PSP.
No change to your customer-facing flow
Inbound proxy captures the raw PAN before it reaches your servers
Outbound proxy resolves the token and injects the PAN to the PSP
PATTERN 01
Vault and tokenize
Capture the card, store it in the PCI vault, and return a token your systems can safely reuse.
PATTERN 02
Network tokenization
Provision Visa and Mastercard network tokens, with dynamic cryptograms that lift authorization rates.
PATTERN 03
Inbound proxy
Intercept the raw PAN in the consumer request and tokenize it before it ever touches your backend.
PATTERN 04
Outbound proxy
Resolve a token and inject the PAN directly to the acquirer of your choice at authorization time.
Token services
Every credential service,
in one vault.
Run them standalone or compose them, all from a single PCI-aligned vault.
PCI-compliant vaulting
Store cardholder data inside a PCI-certified vault. Raw PANs never touch your systems, removing PCI scope from your environment.
vault
tokenize
proxy
SAQ A
Network tokens & updater
Provision and refresh Visa and Mastercard network tokens, and keep cards on file current with Account Updater to stop silent churn.
VTS
MDES
updater
cryptograms
Identity & verification
Validate cards, identities, and devices in real time with 3DS 2.x and risk-based checks, fully aligned with PSD2 and SCA.
SAQ A
Descoped from SAQ D via the proxy
+2-4%
Auth uplift from network tokens
~0%
Involuntary churn with Account Updater
Token lifecycle
From first card to renewal, in one system.
Every credential is vaulted once, then tokenized, verified, and kept current automatically, so payments keep flowing without re-entry.
Vault
Tokenize
Verify
Authorization
Capture
Network token
Account updater
Re-auth
Renewal
Inside Guardian
See every token. Manage every credential.
A console built for payment teams, from live tokens down to the card behind each one.
A live view of every token
Track every Hellgate token across schemes and accounts, with network-token status, ID&V state, and creation date at a glance.
- Filter by scheme, network token, or date
- Search by last 4 digits or token ID
- Export a full report in one click
Composable
One product in the Hellgate Cloud Platform.
Run Guardian on its own, or compose it freely with other Hellgate products as your needs grow.
You are here
Guardian
Token vault with network tokenization.
Specter
Real-time risk and fraud decisions.
Link
Rapid protocol and backend integration.
Pricing
Scale on your terms.
Pick an infrastructure tier with unlimited token storage, no overage penalties, and universal token portability. A single per-token issuance fee applies.
DEV
Playground
€0.28
/ hour
Development tier
5,000 tokens
Single node, EU region only
Full Guardian vault
Inbound + outbound proxy
SAQ A, A-EP, D
S
Hello World
€0.56
/ hour
Production tier
Unlimited tokens
Single node, EU region only
Network token support
Account Updater included
SAQ A, A-EP
M
Go Live
€1,000
/ month
Production tier
Cluster M
EU and US regions
Network token support
Vault, tokens, ID&V
SAQ A, A-EP
Most popular
L
Think Global
€5,800
/ month
Production tier
Cluster L
All regions
Network token lifecycle
Account Updater + ID&V
Multi-region, Link included|SAQ A, D, RoC
XL
Think Big
€12,500
/ month
High availability
Cluster XL
All regions, high availability
Full RoC compliance
Dedicated success manager
Priority SLA, Link included|SAQ A, D, RoC
XXL
God Mode
Custom
Individual pricing
Cluster XXL
All regions, high availability
DAuth + extension support
Network token support
Link included, SAQ A, D, RoC
Add-on Services
Enabling efficient orchestration, expanding merchant access, and powering embedded finance models.
Network Tokens
Manages lifecycle of network tokens (Visa, Mastercard, etc.)
Enables secure token provisioning and refreshing
Enables processing over different PSPs and Acquirers
Optional fallback for PAN vaulting
Build modern, user-friendly authentication flows aligned with PSD2 and beyond with delegated authentication
Account Updater
Keeps stored CHD actual and refreshes if needed
Reduces transaction failures through expired, replaced, reissued CHD
Is integrated with VISA (Account Updater) and Mastercard (Automatic Billing Updater)
Improves authorization rates
Improves customer retention, esp. for loyalty programs and recurring billings
Fully compliant with EMV 3DS 2.x protocol
Supports both frictionless and challenge flows
Designed for seamless use across multiple PSPs and Acquirers
Compatible with PSD2/SCA and global authentication mandates
Card Metadata Service
Provides Card Metadata, like Issuer, BIN, and country
Delivers card types, scheme affiliation and feature flags
Provides the fuel to improve routing scenarios and customer analytics
BOOK A DEMO
Walk through a live ruleset with our team. We will map Guardian to your risk flows and show you exactly where it fits.
Deep dive into your current payment infrastructure challenges
Personalized walkthrough of relevant Specter features for your use case
Clear explanation of implementation and integration paths
Live Q&A with our payment specialists
Book a demo with our product specialists
Trusted by enterprise clients
Can Guardian be standalone?
Yes. Independent of Hub/Commerce.
Label
How do network tokens help?
Reduce declines, mitigate fraud, and keep subscriptions alive.
Label
Does Guardian only handle cards?
Primarily, but can vault other sensitive data (PII, GDPR).
Label
Can I migrate tokens into Guardian?
Yes. Migration flows are supported.
Label
What is a credit card vault and how does it reduce PCI scope?
A credit card vault is a PCI DSS-certified environment that stores cardholder data – primarily Primary Account Numbers (PANs) – on behalf of a merchant. Instead of storing raw card data in your own systems, you store a token: a non-sensitive reference that maps back to the original credential inside the vault. Because your own infrastructure never touches the PAN, it falls outside the most demanding PCI DSS requirements. The result is a dramatically reduced compliance scope – typically from SAQ D (hundreds of controls) to SAQ A (a short self-assessment).
→ Hellgate Guardian handles PCI vaulting for enterprise merchants · Full guide: Credit Card Vault
Label