Token Vault
What Is a Token Vault?
A token vault is a highly secure data repository that intercepts raw Primary Account Numbers (PANs) at the point of card entry, replaces them with algorithmically generated, non-sensitive tokens, and stores the encrypted PAN-to-token mapping in an access-controlled, HSM-backed environment. The token circulates through merchant systems, routing APIs, and fraud engines, while raw card data remains isolated behind the vault's security boundary.
The commercial motivation is twofold. First, PCI DSS scope reduction: any system that never processes a raw PAN falls entirely outside PCI audit scope, dramatically reducing the cost and complexity of annual assessments. Second, portability: a provider-agnostic vault breaks the structural lock-in that arises when a PSP controls both tokenisation and processing.
Types of Payment Tokens
Proprietary PSP Tokens
Traditional gateway tokens are issued by the gateway and are only valid within that ecosystem. A Stripe token cannot be presented to Adyen; a Braintree token cannot be used with Worldpay. This creates structural vendor lock-in: the merchant's customer payment credentials are held by the PSP, making switching costs prohibitively high and multi-acquirer routing impossible without a full token migration.
Network Tokens
Network tokens are issued by card schemes—Visa Token Service (VTS), Mastercard MDES, Amex Token Service. They are portable across acquirers, domain-restricted to the merchant that provisioned them, and automatically updated by the issuing bank when the underlying card is replaced. Network tokens deliver measurably higher authorisation rates than raw PANs and may qualify for reduced interchange categories, creating a direct cost benefit alongside the security improvement.
Provider-Agnostic Vault Tokens
An independent vault—like Guardian—issues its own token and manages the mapping to either the underlying PAN or a network token internally. A single vault token can be passed to any connected acquirer. The vault, not the acquirer, is the source of truth for payment credentials. This gives the merchant complete data sovereignty: credentials can be routed to any acquirer today, and to any future acquirer without migration.
How Hellgate Guardian Provides Provider-Agnostic Vaulting
Guardian is Hellgate's PCI-compliant, provider-agnostic token vault. It captures card data through isolated PCI-scoped JavaScript iFrames, issues a universal vault token, and integrates with Visa TMS and Mastercard MDES to provision and manage network tokens on behalf of the merchant. Because Guardian is decoupled from any individual acquirer, its tokens work across every PSP connected through Link.
Merchants using Guardian own their customer payment credentials fully and permanently. Adding a new acquirer, negotiating better rates, or switching primary processors becomes a routing configuration change in Hub—not a data migration project. Guardian also supports IBAN and PII tokenisation, making it the single credential storage layer for the entire payment and identity stack.
11