Card Vaulting / Acquiring Side Tokenisation

More and more merchants are now starting to rely on card vaulting with their payment service provider (PSP), where the PSP stores the card details on behalf of the merchant, and a tokenised payment means is used.

One of the challenges faced by merchants, cart providers and PSP's is to actually ensure that the card that is being vaulted is actually being presented by the legitimate card owner. For now, merchants can simply "vault" the card, without the need for any ownership checks. That is all about to change in the SEPA zone.

Card On-boarding / Registration under PSD2 Article 98

Article 98 of the PSD2 provides of the European Banking Authority (EBA) to consult with and make regulations for industry.

As most of us in payments are aware, that process was finalised by the EBA some time back as the 'Guidelines for the Security of Internet Payments' or SecuRE Pay.

SecuRE Pay appears to be somewhat silent on the matter of card vaulting, until you consider that a card vault is really just a another way to say that the PSP will store a card within a 'wallet' operated by that licensed PSP, on behalf of multiple merchants.

SecuRE Pay's definitions on Page 12 define:

"Wallet solutions means solutions that allow a customer to register data relating to one or more payment instruments in order to make payments with several e-merchants."

So, does acquiring side tokenisation or card vaulting fit within that definition? We believe that it does, as its function is covered by the definitions, even if terminology varies between regulator and industry. In any case, registration of a card presents a very real security issue, and represents a flaw in the present approach.

Lets then circle back to Page 10, Item 7 of SecuRE Pay, where the us elf Strong Customer Authentication is mandated:

"[cards] the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’;"

The "......registration of card payment data for use in ’wallet solutions’ " appears to be very broad, and inclusive of all Wallet types, such as online stored value, instant payments (remote), tokenisation/vaulting or local NFC payments, where the internet is involved and a browser based interface is used and/or cards are involved. Basically, any PSP operated facility that allows for payments to more than one merchant will fall into this category.

The SecuRE Pay requirements then go on to state @ 7.6 : " [cards] For the card payment schemes accepted by the service, providers of wallet solutions should require strong authentication by the issuer when the legitimate holder first registers the card data."

If a merchant is PCI certified, and able to store the card on their side, then that may be one approach that circumvents the SecuRE Pay requirement - however, that raises other challenges for the merchant, that may be best addressed by its PSP's. Its also a risky approach given that the rest of the SEPA zone will be "locked down" by SecuRE Pay - and fraudsters always gravitate to the weakest point.

iSignthis rolled out PCI DSS level 1 certified and PSD2 compliant Card Vaulting / Tokenisation to Coinify.com last month, using our patented payment instrument verification process.

If card vaulting is something that interests your organisation (be you a merchant or a PSP), then, please get in touch with us sales@isignthis.com to discuss how we can help.