Company news

Card Vaulting / Acquiring Side Tokenisation

More and more merchants are now starting to rely on card vaulting with their payment service provider (PSP), where the PSP stores the card details on behalf of the merchant, and a tokenised payment means is used.

One of the challenges faced by merchants, cart providers and PSP's is to actually ensure that the card that is being vaulted is actually being presented by the legitimate card owner. For now, merchants can simply "vault" the card, without the need for any ownership checks. That is all about to change in the SEPA zone.

Card On-boarding / Registration under PSD2 Article 98

Article 98 of the PSD2 provides of the European Banking Authority (EBA) to consult with and make regulations for industry.

As most of us in payments are aware, that process was finalised by the EBA some time back as the 'Guidelines for the Security of Internet Payments' or SecuRE Pay.

SecuRE Pay appears to be somewhat silent on the matter of card vaulting, until you consider that a card vault is really just a another way to say that the PSP will store a card within a 'wallet' operated by that licensed PSP, on behalf of multiple merchants.

SecuRE Pay's definitions on Page 12 define:

"Wallet solutions means solutions that allow a customer to register data relating to one or more payment instruments in order to make payments with several e-merchants."

So, does acquiring side tokenisation or card vaulting fit within that definition? We believe that it does, as its function is covered by the definitions, even if terminology varies between regulator and industry. In any case, registration of a card presents a very real security issue, and represents a flaw in the present approach.

Lets then circle back to Page 10, Item 7 of SecuRE Pay, where the us elf Strong Customer Authentication is mandated:

"[cards] the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’;"

The "......registration of card payment data for use in ’wallet solutions’ " appears to be very broad, and inclusive of all Wallet types, such as online stored value, instant payments (remote), tokenisation/vaulting or local NFC payments, where the internet is involved and a browser based interface is used and/or cards are involved. Basically, any PSP operated facility that allows for payments to more than one merchant will fall into this category.

The SecuRE Pay requirements then go on to state @ 7.6 : " [cards] For the card payment schemes accepted by the service, providers of wallet solutions should require strong authentication by the issuer when the legitimate holder first registers the card data."

If a merchant is PCI certified, and able to store the card on their side, then that may be one approach that circumvents the SecuRE Pay requirement - however, that raises other challenges for the merchant, that may be best addressed by its PSP's. Its also a risky approach given that the rest of the SEPA zone will be "locked down" by SecuRE Pay - and fraudsters always gravitate to the weakest point.

iSignthis rolled out PCI DSS level 1 certified and PSD2 compliant Card Vaulting / Tokenisation to last month, using our patented payment instrument verification process.

If card vaulting is something that interests your organisation (be you a merchant or a PSP), then, please get in touch with us to discuss how we can help.

Thursday, 02 Jun, 2016 / 12:55

Note: Company News is a promotional service of the Directory and the content isn't created by Finance Magnates.

Source :

Trading news


Equities back in the meat grinder after big tech earnings

  Stocks continue to melt down as big tech results underwhelm [...]

Posted on Friday, 30 Oct, 2020 / 9:18 under

Fear of national lockdown kept the Pound under pressure – GBP/USD Market Outlook – 30/10/2020

The Cable drops for the third consecutive day towards 1.29 on chatters of UK [...]

Posted on Friday, 30 Oct, 2020 / 9:03 under

OIL weighed down by wave 2 fears and spreading lockdowns – US OIL Market Outlook – 30/10/2020

WTI Crude closed below the 200 period SMA on the daily chart, falling by more [...]

Posted on Friday, 30 Oct, 2020 / 9:01 under