Definition

PCI vaulting refers to the practice of storing payment credentials – primarily Primary Account Numbers (PANs) – in a dedicated, PCI DSS-certified vault environment, rather than within a merchant's own systems. The vault issues a token in place of the sensitive data, which merchants use for all subsequent payment operations.

Why 'PCI' Vaulting?

The 'PCI' in PCI vaulting signals that the vault itself must comply with the Payment Card Industry Data Security Standard (PCI DSS). This is not automatic. A vault provider must be certified as a PCI DSS Level 1 Service Provider – the highest tier of compliance – and undergo annual audits by a Qualified Security Assessor (QSA). Merchants using a certified vault can significantly reduce the scope of their own PCI DSS obligations, because cardholder data never enters their environment.

How PCI Vaulting Reduces Scope

Under PCI DSS, any system that stores, processes, or transmits cardholder data falls within scope. By delegating storage to a PCI-certified vault, merchants remove their own infrastructure from the most demanding PCI requirements. The vault becomes the cardholder data environment (CDE); the merchant only handles tokens.

PCI Vaulting vs. PSP Card Storage

Most PSPs offer card-on-file storage as a bundled feature. This is not the same as independent PCI vaulting. PSP-issued tokens are proprietary and only function within that PSP's system. Independent PCI vaulting issues portable tokens that work across any acquirer or processor, eliminating vendor lock-in.

→ Full Guide: Credit Card Vault – What It Is and Why Enterprises Need One 

→ See also: Vaulting · Card Data Vaulting · Guardian