Vaulting
Credit Card Vault: What It Is, How It Works, and Why Enterprises Need One
Every enterprise that stores card-on-file credentials – for subscriptions, one-click checkout, or recurring billing – is sitting on a compliance and operational risk that most teams underestimate. A credit card vault is the infrastructure layer that solves that problem. This guide explains exactly how it works, why the type of vault you choose matters more than most teams realize, and what to look for when evaluating providers.
What is a Credit Card Vault?
A credit card vault is a secure, encrypted storage system for sensitive payment credentials. When a customer enters their card details, those details are captured once, sent directly to the vault, and never stored in the merchant's own systems. The vault returns a token – a non-sensitive reference string – that the merchant stores instead of the real card number.
Every subsequent transaction uses the token. The vault maps the token back to the original card data at the point of processing. From the customer's perspective, nothing changes. From the merchant's perspective, their infrastructure never touches a live PAN again.
Why a Credit Card Vault Reduces PCI Scope
PCI DSS – the Payment Card Industry Data Security Standard – applies to any system that stores, processes, or transmits cardholder data. A business that stores raw PANs in its own database is subject to the most demanding PCI DSS tier (SAQ D or full QSA audit), which involves hundreds of security controls, annual penetration testing, and quarterly network scans.
A credit card vault changes this equation. When card data lives in an independent, certified vault and your own systems only ever see tokens, the scope of your PCI DSS obligations shrinks dramatically. Most merchants can qualify for SAQ A or SAQ A-EP – significantly simpler, cheaper, and faster to maintain.
Storing raw PANs | Storing raw PANs | |
|---|---|---|
PCI tier | SAQ D / Full audit | SAQ A / SAQ A-EP |
Annual audit cost | €80k–€250k+ | €10k–€30k |
Breach risk | Full card data exposed | Tokens are useless without vault |
Engineering burden | High (ongoing compliance) | Low (delegated to vault provider) |
PSP Vault vs. Independent Credit Card Vault
This is the decision most enterprises get wrong. Almost every payment service provider offers card-on-file storage as part of their service. It looks like vaulting. It is not the same as an independent credit card vault.
When your PSP stores your card data, they issue their own proprietary tokens. Those tokens only work within their ecosystem. If you want to switch acquirers, add a backup processor, or route transactions to a different provider for better rates – you cannot do it without first re-tokenizing your entire card base. That process typically takes 6–18 months and can cost millions of euros in engineering and downtime risk.
An independent credit card vault breaks this dependency. Your tokens are yours. They are scheme-neutral and acquirer-agnostic. You can route a transaction to Worldpay today and to Adyen tomorrow without touching the underlying card data.
Credit Card Vault and Network Tokenization
A credit card vault and network tokenization are complementary, not competing, technologies.
Network tokens – issued by Visa and Mastercard through their token service programs – replace PANs at the scheme level. They travel through the card network, are automatically updated when a card is renewed or replaced, and typically achieve 2–5% higher authorization rates than raw PANs.
An independent credit card vault acts as the management layer for both types of credentials. It holds the original PAN, maintains the mapping to the merchant's internal token, and can request and manage Visa/Mastercard network tokens on behalf of the merchant. The result: one integration, full credential ownership, and access to scheme-level optimization.
What to Look for in a Credit Card Vault Provider
• PCI DSS Level 1 certified – the vault itself must be certified, not just compliant
• Acquirer-agnostic token format – tokens must be portable across PSPs and processors
• Network token support – ability to request and manage Visa Token Service and Mastercard MDES tokens
• Token migration support – ability to import existing tokens from a PSP vault without exposing raw card data
• Single-tenant infrastructure – your card data should be physically isolated, not shared with other merchants
• API-first architecture – the vault should expose clean REST APIs, not require proprietary SDKs
How Hellgate Guardian Handles Credit Card Vaulting
Guardian is Hellgate's PCI vault and tokenization component. It operates on dedicated, single-tenant infrastructure and issues acquirer-agnostic tokens that work with any PSP or acquirer connected through the Hellgate CPA. It supports both PCI tokens (for internal routing) and network tokens (Visa, Mastercard) through a unified API, and includes built-in token migration tooling for teams moving away from PSP-bundled vaults.
Guardian can be used as a standalone component or as part of the full Hellgate Composable Payment Architecture.
→ See also: Vaulting · Card Data Vault · Network Token
Jens Kohnen was driven to co-start the company by the conviction that payment infrastructure should empower businesses, not bind them. Recognizing that many large organizations were locked into monolithic, opaque setups, Jens embarked on a journey to free enterprises from these rigid stacks. His mission is to enable companies to regain full ownership and monetize their flows, transforming payments from a cost center into a strategic lever for growth.
