Definition
Vaulting, in the context of payments, refers to the secure storage of sensitive payment credentials – typically a cardholder's Primary Account Number (PAN) and associated data – in an encrypted, access-controlled environment called a vault. The vault replaces the raw card data with a token: a non-sensitive reference that can be used for future transactions without exposing the original credentials.

How Vaulting Works
When a customer completes a payment, their card details are captured once and sent directly to the vault. The vault encrypts the data, stores it in a certified secure environment, and returns a token to the merchant's system. From that point forward, every recurring charge, subscription renewal, or one-click payment uses the token – the actual PAN never re-enters the merchant's infrastructure.

This process is sometimes called card vaulting or card-on-file tokenization, and it sits at the heart of PCI DSS compliance for any business that stores payment credentials.

Why Enterprises Use Vaulting
• PCI scope reduction: Systems that only handle tokens, not raw PANs, fall outside the most stringent PCI DSS requirements, dramatically reducing audit complexity and cost.
• Acquirer independence: With an independent vault, tokens are not tied to a specific PSP. Switching acquirers or adding new processors doesn't require re-tokenization.
• Improved authorization rates: Vaulted credentials can be combined with network tokenization (Visa, Mastercard) to deliver higher approval rates and automatic card-update capabilities.
• Fraud reduction: Tokens are useless outside the vault's control environment, limiting the impact of data breaches.

Vault Types
PSP-bundled vault: The PSP stores your card data and issues its own tokens. Tokens are proprietary – they only work within that PSP's ecosystem, creating vendor lock-in.

Independent vault: A standalone, PSP-agnostic vault owned and operated independently of any single acquirer or payment processor. Tokens are portable and can be routed to any downstream provider.

Vaulting and Network Tokenization
Vaulting should not be confused with network tokenization. Network tokens (issued by Visa or Mastercard via their token service programs) replace PANs at the scheme level and travel through the authorization network. A vault stores the original PAN and manages the mapping. Many modern payment platforms combine both: the vault holds the PAN, and the vault's token management service requests and manages network tokens from Visa and Mastercard on behalf of the merchant.

→ Deep Dive: How Hellgate Guardian handles card vaulting and network tokenization
→ See also: Card Data Vault, Network Token