Glossary

What are Storable Credentials?

Storable credentials, often referred to as Credential-on-File (CoF), are payment details—most commonly credit card numbers, expiration dates, and billing addresses—that a customer explicitly authorizes a merchant to store for future use. These credentials are the engine behind modern digital commerce, enabling "one-click" checkouts for returning users and automated recurring billing for subscription-based business models.

CIT vs. MIT: The Two Types of Stored Payments

To maintain compliance and high authorization rates, the global card networks (Visa, Mastercard) distinguish between two types of transactions involving storable credentials:

  1. Customer Initiated Transactions (CIT): These occur when the cardholder is "in-session." For example, a returning user selects their saved card from a dropdown menu and clicks "Pay." Because the user is present, these transactions often require a CVV or a 3D Secure (3DS) biometric challenge.

  2. Merchant Initiated Transactions (MIT): These occur "off-session" without the customer's immediate involvement. Examples include monthly subscription renewals, utility bills, or "top-ups" when a balance drops below a certain threshold. These require a specific "mandate" or agreement established during the initial setup.

The Operational Risk of Storable Credentials

While storable credentials drive long-term customer value, they introduce two significant risks for the enterprise:

  • The Compliance Burden: Storing raw credentials locally forces your entire infrastructure into the Cardholder Data Environment (CDE), triggering the most complex tier of PCI compliance (SAQ D).

  • Involuntary Churn: Physical cards are lost, stolen, or expire. If a stored credential becomes "stale," the next subscription payment will fail. Without automated lifecycle management, this leads to involuntary churn, where you lose customers simply because of administrative data errors.

  • Proprietary Token Lock-in: Most legacy Payment Service Providers (PSPs) vault these credentials and give you a proprietary token. If you ever want to move your subscribers to a different processor, the PSP holds your data hostage, making migration nearly impossible.

How Hellgate.io Liberates Storable Credentials

Hellgate’s Composable Payment Architecture (CPA) gives you the benefits of storable credentials without the associated risks or vendor lock-in.

Agnostic Vaulting via Guardian

Instead of letting a single PSP own your customer relationships, you utilize Hellgate Guardian. Guardian intercepts the credentials at the network edge during the initial transaction. It vaults the data independently and issues a universally portable Hellgate Token. You achieve SAQ A compliance while maintaining the freedom to use those credentials with any global gateway.

Automated Lifecycle Management

Hellgate Guardian integrates directly with card network services like Visa Account Updater. When a customer's physical card is reissued, Guardian automatically updates the stored credential in the background. Your MIT (Merchant Initiated Transactions) continue to succeed, and your revenue remains uninterrupted.

Network Tokenization for Higher Trust

For maximum performance, Hellgate can upgrade your storable credentials to Network Tokens. Unlike standard vaulted cards, Network Tokens are issued by the card brands (Visa/Mastercard) and are accompanied by dynamic cryptograms. This proves to the issuing bank that the stored credential is secure, leading to significantly higher authorization rates for recurring payments.

Internal Linking Strategy

  1. Anchor Text: SAQ A

    • Target: /glossary/saq-a

    • Context: Directs readers to understand the simplified compliance standard achieved by vaulting credentials with Hellgate.

  2. Anchor Text: involuntary churn

    • Target: /glossary/authorization-rate-optimization

    • Context: Links the management of stored credentials to the broader goal of maximizing successful transactions.

  3. Anchor Text: Network Tokens

    • Target: /glossary/network-tokenization

    • Context: Guides developers to learn how to enhance storable credentials with scheme-level security.

Frequently Asked Questions (FAQ)

Is a "saved card" the same as a storable credential? Yes. In the consumer-facing UI, it’s a "saved card." In technical and regulatory terms, it is a storable credential that requires specific flags (CIT/MIT) in the API payload to be processed correctly.

Do I need the CVV for recurring payments? No. In fact, PCI DSS regulations strictly prohibit the storage of CVVs after the initial authorization. For subsequent Merchant Initiated Transactions (MIT), the card networks allow the transaction to proceed without a CVV, provided the initial transaction was properly flagged and authenticated.

Can I move my stored credentials from Stripe to Hellgate? Yes. This is done through a "PCI-to-PCI migration." Stripe (or any other Level 1 provider) securely transfers the raw PANs to the Hellgate Guardian vault. Once the migration is complete, you can route those customers to any processor you choose.

Own your customer relationships.

Stop letting legacy processors hold your subscription revenue hostage with proprietary tokens. Leverage Hellgate's Composable Payment Architecture to vault credentials independently, automate their lifecycle, and route your recurring volume with total freedom.

Related

3-D Secure (3DS)
Account Information Service Provider (AISP)
Account-to-Account Payments (A2A)
Account Updater
ACH (Automated Clearing House)

Latest News

Tokenization

May 15, 2026

Scheme Tokens, Network Tokens, and the Lock-in Nobody Talks About

Tokenization

May 8, 2026

The PAN and the Vault: Why Token Ownership Starts Before the Token
A BMW infotainment system view of the BMW iX3. It shows the Plug&Charge contract and the reference number to the driver's credit cared

Press Release

Apr 16, 2026

Hellgate Powers Payment Infrastructure for "Plug&Charge Direct" Launch with BMW Group, Hubject, and Mer